[PATCH v4 3/3] selinux: fix overlayfs mmap() and mprotect() access checks

Thu Apr 9 19:16:53 AEST 2026

On Tue, Apr 7, 2026 at 10:21 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Tue, Apr 7, 2026 at 3:20 PM Stephen Smalley
> <stephen.smalley.work at gmail.com> wrote:
> > On Tue, Apr 7, 2026 at 10:35 AM Paul Moore <paul at paul-moore.com> wrote:
> > > On Tue, Apr 7, 2026 at 8:14 AM Stephen Smalley
> > > <stephen.smalley.work at gmail.com> wrote:
> > > > On Thu, Apr 2, 2026 at 11:09 PM Paul Moore <paul at paul-moore.com> wrote:
> > > > >
> > > > > The existing SELinux security model for overlayfs is to allow access if
> > > > > the current task is able to access the top level file (the "user" file)
> > > > > and the mounter's credentials are sufficient to access the lower
> > > > > level file (the "backing" file).  Unfortunately, the current code does
> > > > > not properly enforce these access controls for both mmap() and mprotect()
> > > > > operations on overlayfs filesystems.
> > > > >
> > > > > This patch makes use of the newly created security_mmap_backing_file()
> > > > > LSM hook to provide the missing backing file enforcement for mmap()
> > > > > operations, and leverages the backing file API and new LSM blob to
> > > > > provide the necessary information to properly enforce the mprotect()
> > > > > access controls.
> > > > >
> > > > > Cc: stable at vger.kernel.org
> > > > > Signed-off-by: Paul Moore <paul at paul-moore.com>
> > > >
> > > > Do you have tests for these changes showing the before and after (i.e.
> > > > failing without your patches, passing with them)? I tried running an
> > > > earlier set from Ondrej but they failed.
> > >
> > > A few months ago I sent you and Ondrej some feedback on those early
> > > tests from Ondrej, but yes, I also had problems with Ondrej's tests.
> > > I've been using a hacked up combination of the existing tests, some of
> > > Ondrej's additions, and an additional debug/test patch to ensure the
> > > labeling is correct.  It's far from ideal, but I didn't invest time in
> > > test development as I assumed Ondrej would continue his efforts there
> > > (unfortunately it doesn't appear that he has?), and I wanted to focus
> > > on getting a solution as soon as possible for obvious reasons.
> >
> > Ok, I'm happy to look at even unpolished tests - just want something I
> > can use to exercise the before and after states.
>
> Hopefully Ondrej can provide an updated patch.

Sorry for the radio silence... I just posted the fixed patch to the list.

I also pushed a more targeted standalone TMT/beakerlib test here,
which also tests the dynamic transition situation:
https://src.fedoraproject.org/fork/omos/tests/selinux/blob/overlayfs-mmap-bugs/f/kernel/overlayfs-mmap-bugs

To run it on Fedora, it should be enough to `dnf install -y beakerlib
selinux-policy-devel gcc` and run the runtest.sh script directly.

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.