aboutsummaryrefslogtreecommitdiffstats
path: root/security/chromiumos/lsm.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/chromiumos/lsm.c')
-rw-r--r--security/chromiumos/lsm.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/security/chromiumos/lsm.c b/security/chromiumos/lsm.c
index d38c3032127882..9ade38ba299643 100644
--- a/security/chromiumos/lsm.c
+++ b/security/chromiumos/lsm.c
@@ -41,6 +41,15 @@
#include "inode_mark.h"
#include "utils.h"
+static int allow_overlayfs;
+
+static int __init allow_overlayfs_set(char *__unused)
+{
+ allow_overlayfs = 1;
+ return 1;
+}
+__setup("chromiumos.allow_overlayfs", allow_overlayfs_set);
+
#if defined(CONFIG_SECURITY_CHROMIUMOS_NO_UNPRIVILEGED_UNSAFE_MOUNTS) || \
defined(CONFIG_SECURITY_CHROMIUMOS_NO_SYMLINK_MOUNT)
static void report(const char *origin, const struct path *path, char *operation)
@@ -82,6 +91,13 @@ static int chromiumos_security_sb_mount(const char *dev_name,
const char *type, unsigned long flags,
void *data)
{
+ if (!allow_overlayfs && type && !strcmp(type, "overlay")) {
+ report("sb_mount", path, "Overlayfs mounts prohibited");
+ pr_notice("sb_mount dev=%s type=%s flags=%#lx\n",
+ dev_name, type, flags);
+ return -EPERM;
+ }
+
#ifdef CONFIG_SECURITY_CHROMIUMOS_NO_SYMLINK_MOUNT
if (nameidata_get_total_link_count()) {
report("sb_mount", path, "Mount path with symlinks prohibited");
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-31 03:37:26 +0000