From patchwork Mon Aug 10 21:05:18 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 6986181 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 9D9FFC05AD for ; Mon, 10 Aug 2015 21:06:17 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id A6DA02078D for ; Mon, 10 Aug 2015 21:06:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CC63A20790 for ; Mon, 10 Aug 2015 21:06:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932992AbbHJVGM (ORCPT ); Mon, 10 Aug 2015 17:06:12 -0400 Received: from mail-ig0-f170.google.com ([209.85.213.170]:35727 "EHLO mail-ig0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933263AbbHJVFr (ORCPT ); Mon, 10 Aug 2015 17:05:47 -0400 Received: by igbjg10 with SMTP id jg10so9437723igb.0 for ; Mon, 10 Aug 2015 14:05:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=8JT9JhZedCUIf/Mhw34yDrwqki6ux5Bc91xWI4g10vk=; b=mszqunNF7qdkQ0ydYtiZFxUM4KR5TArThfc2/s3ay9dMgiKLOQFZGcpJiPQV/dpUwd F8GhZGmHt+5QRBeqlP7bRxILmCyurPea2H9PQJGWu7yGhFueT8cuySNDmaU/qzXv+FZ+ I8dGoQITLBgtItzUnv+qk1JJVOHK7UBO/C5KFjM/VBYoAjRqzJ8azIeDTU2d5Wex19fw Uh+9OOFE9PJylk8e8s+2PCb+GauaTiXkVD0FOBUkYWuUda110i+FJdM2mp7yr7R17hAi 4pcx8V1PMnvCja0r6pOP8Sno9klZ12aNILnTf1R/WwgL3FXB4hdsYwaP6MjOldhvvA19 8ing== X-Gm-Message-State: ALoCoQka1zD0rQwTh28AS5Q33faCcKEEC77ao62vcd6AT1WfgjQdmUjXq7N8JWYHGghdubd6VV/A X-Received: by 10.50.110.103 with SMTP id hz7mr14461971igb.91.1439240746306; Mon, 10 Aug 2015 14:05:46 -0700 (PDT) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id 15sm48007iop.3.2015.08.10.14.05.45 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Mon, 10 Aug 2015 14:05:45 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Alexander Viro , Paul Moore , Stephen Smalley , Eric Paris Cc: Serge Hallyn , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org, Seth Forshee , James Morris , "Serge E. Hallyn" Subject: [PATCH v2 7/7] selinux: Add support for unprivileged mounts from user namespaces Date: Mon, 10 Aug 2015 16:05:18 -0500 Message-Id: <1439240719-46850-8-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1439240719-46850-1-git-send-email-seth.forshee@canonical.com> References: <1439240719-46850-1-git-send-email-seth.forshee@canonical.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file objects, but also allow the policy writer to specify a different label through policy transition rules. Pieced together from code snippets provided by Stephen Smalley. Signed-off-by: Seth Forshee --- security/selinux/hooks.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 459e71ddbc9d..242dac0b8b24 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -745,6 +745,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } } + + /* + * If this is a user namespace mount, no contexts are allowed + * on the command line and security labels must be ignored. + */ + if (sb->s_user_ns != &init_user_ns) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; + goto out; + } + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; + rc = security_transition_sid(current_sid(), current_sid(), + SECCLASS_FILE, NULL, + &sbsec->mntpoint_sid); + if (rc) + goto out; + } + goto out_set_opts; + } + /* sets the context of the superblock for the fs being mounted. */ if (fscontext_sid) { rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); @@ -813,6 +835,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, sbsec->def_sid = defcontext_sid; } +out_set_opts: rc = sb_finish_set_opts(sb); out: mutex_unlock(&sbsec->lock);