From 74192246910ff4fb95309ba1a683215644beeb62 Mon Sep 17 00:00:00 2001
From: James Morris <jmorris@namei.org>
Date: Fri, 19 Dec 2008 11:41:10 +1100
Subject: SELinux: don't check permissions for kernel mounts

Don't bother checking permissions when the kernel performs an
internal mount, as this should always be allowed.

Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/hooks.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'security/selinux')

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7465d713b531..853b58c8b2cb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2484,6 +2484,10 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
 	if (rc)
 		return rc;
 
+	/* Allow all mounts performed by the kernel */
+	if (flags & MS_KERNMOUNT)
+		return 0;
+
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.path.dentry = sb->s_root;
 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
-- 
cgit v1.2.3