From patchwork Wed Jul 15 19:46:07 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 6800331
Return-Path: <linux-fsdevel-owner@kernel.org>
X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 94EB2C05AC
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 15 Jul 2015 19:47:54 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id B721D2057F
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 15 Jul 2015 19:47:53 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id CA8632054D
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 15 Jul 2015 19:47:52 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753754AbbGOTrb (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Wed, 15 Jul 2015 15:47:31 -0400
Received: from mail-ob0-f170.google.com ([209.85.214.170]:34093 "EHLO
	mail-ob0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753645AbbGOTrX (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Wed, 15 Jul 2015 15:47:23 -0400
Received: by obre1 with SMTP id e1so33516703obr.1
	for <linux-fsdevel@vger.kernel.org>;
	Wed, 15 Jul 2015 12:47:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=NuJkvfQgQZgFEQWn9YsUsenOB+Ex/WxK0GsMBmhLIOs=;
	b=FXi7aKp6WzpISsLcdDmcNbHqHOZ60KP/S3G7N8cL/yhPi5fCumYIWVEsqEEI70N/Nu
	1DiQ6LD/p7c3hGLMB8UNa460E5JqfrFnN9PWLCaWeIf231MfrcrBHqjhleuLvkzSOirs
	FTiquQPjAVAwDXWaAVZbQT7+RWkxkgXpsxjtUHC/pKMJ48bObZ/8sbjuV6Izuz7L9d/Z
	W1XRcWyvo34oMPVGkPQWLGpmrJrA9VBpxUIejtkiTaMw/+j7OQeFRJGOKbz2kNumkZAG
	yX41bXi8ea8zmdG1oSDbySs74ClercCerr8EWNQXEeSfobJV2yoAG+3h0L9smgBgRrPM
	xelA==
X-Gm-Message-State: 
 ALoCoQl2fl6csCKIVJh52l5Yd3zBRVi2aN4ZR3/il6gOLQzOboxD8t1YIe5JYxPtuu6nMaKFbNNZ
X-Received: by 10.60.178.33 with SMTP id cv1mr5174726oec.11.1436989642956;
	Wed, 15 Jul 2015 12:47:22 -0700 (PDT)
Received: from localhost (199-87-125-144.dyn.kc.surewest.net.
	[199.87.125.144]) by smtp.gmail.com with ESMTPSA id
	w200sm2906213oie.25.2015.07.15.12.47.22
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Wed, 15 Jul 2015 12:47:22 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
	Andy Lutomirski <luto@amacapital.net>,
	Seth Forshee <seth.forshee@canonical.com>, linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	linux-kernel@vger.kernel.org, James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Subject: [PATCH 6/7] selinux: Ignore security labels on user namespace mounts
Date: Wed, 15 Jul 2015 14:46:07 -0500
Message-Id: <1436989569-69582-7-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com>
References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Unprivileged users should not be able to supply security labels
in filesystems, nor should they be able to supply security
contexts in unprivileged mounts. For any mount where s_user_ns is
not init_user_ns, force the use of SECURITY_FS_USE_NONE behavior
and return EPERM if any contexts are supplied in the mount
options.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 security/selinux/hooks.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 459e71ddbc9d..eeb71e45ab82 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -732,6 +732,19 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	    !strcmp(sb->s_type->name, "pstore"))
 		sbsec->flags |= SE_SBGENFS;
 
+	/*
+	 * If this is a user namespace mount, no contexts are allowed
+	 * on the command line and security labels mus be ignored.
+	 */
+	if (sb->s_user_ns != &init_user_ns) {
+		if (context_sid || fscontext_sid || rootcontext_sid ||
+		    defcontext_sid)
+			return -EPERM;
+		sbsec->behavior = SECURITY_FS_USE_NONE;
+		goto out_set_opts;
+	}
+
+
 	if (!sbsec->behavior) {
 		/*
 		 * Determine the labeling behavior to use for this
@@ -813,6 +826,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 		sbsec->def_sid = defcontext_sid;
 	}
 
+out_set_opts:
 	rc = sb_finish_set_opts(sb);
 out:
 	mutex_unlock(&sbsec->lock);