diff options
Diffstat (limited to 'security/chromiumos/lsm.c')
-rw-r--r-- | security/chromiumos/lsm.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/security/chromiumos/lsm.c b/security/chromiumos/lsm.c index d38c3032127882..9ade38ba299643 100644 --- a/security/chromiumos/lsm.c +++ b/security/chromiumos/lsm.c @@ -41,6 +41,15 @@ #include "inode_mark.h" #include "utils.h" +static int allow_overlayfs; + +static int __init allow_overlayfs_set(char *__unused) +{ + allow_overlayfs = 1; + return 1; +} +__setup("chromiumos.allow_overlayfs", allow_overlayfs_set); + #if defined(CONFIG_SECURITY_CHROMIUMOS_NO_UNPRIVILEGED_UNSAFE_MOUNTS) || \ defined(CONFIG_SECURITY_CHROMIUMOS_NO_SYMLINK_MOUNT) static void report(const char *origin, const struct path *path, char *operation) @@ -82,6 +91,13 @@ static int chromiumos_security_sb_mount(const char *dev_name, const char *type, unsigned long flags, void *data) { + if (!allow_overlayfs && type && !strcmp(type, "overlay")) { + report("sb_mount", path, "Overlayfs mounts prohibited"); + pr_notice("sb_mount dev=%s type=%s flags=%#lx\n", + dev_name, type, flags); + return -EPERM; + } + #ifdef CONFIG_SECURITY_CHROMIUMOS_NO_SYMLINK_MOUNT if (nameidata_get_total_link_count()) { report("sb_mount", path, "Mount path with symlinks prohibited"); |