From patchwork Tue Nov 17 16:39:08 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7639271 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 6DE66BF90C for ; Tue, 17 Nov 2015 16:41:15 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 98A152045A for ; Tue, 17 Nov 2015 16:41:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9CFE620426 for ; Tue, 17 Nov 2015 16:41:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932152AbbKQQlL (ORCPT ); Tue, 17 Nov 2015 11:41:11 -0500 Received: from mail-io0-f181.google.com ([209.85.223.181]:36834 "EHLO mail-io0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754484AbbKQQkL (ORCPT ); Tue, 17 Nov 2015 11:40:11 -0500 Received: by iofh3 with SMTP id h3so24300663iof.3 for ; Tue, 17 Nov 2015 08:40:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=MnTbGMV/up3aLu5fuzRuRtdQ9Ijj8JkbYYmCQjfKwY4=; b=M2r1J/KUJ3sWy2VEzHHJEidMyG+YpRAMMSOs9/5HguXMe5YuQ3VQdWD/WGnzmdmuRP 12KoiNzISOofa14aGQpVObJuSI4MPS5ls1ZIIr9obXJqYmyUei2Ynpb5U0SdI9QNVUOW 9UmR9wj8Akxgk8XxcocD8ewr1htGRtO23knvfrwObWlVm/WGxEBRb6w9MydctCbAZQbd q8zjAUdedFquNuY5EZWdJ/JgKfQtcMKc7S3pmYnTnFRIEXkSzwx7FEjTyiMCa58hocL1 xEQPoHj+2TyeiBVai/xLTs7r1DFCLigGT+hXywCOjzXR9rm2Jnvhhniq+YS6PTA3H1e+ oNlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=MnTbGMV/up3aLu5fuzRuRtdQ9Ijj8JkbYYmCQjfKwY4=; b=fDKQG9aVtccO30Dak69lf1477LVov4SMKO8CqkcL073q5q/JtiADCL7dd0gk1H4t8E jjUACPGEilimrALmRI25JCDOx1L35miNDUkFvTSZYz+WVct+tfU8VHIYIBpD0sDnpuwh QxNJ5Zn3SAY3na2AGvy7MMuWvo+uQUWnJYfAZtp6IiYs/R/D2ZGdYnvbXgQHoDZHUlvS oUKh+xaKDVdJ7IWS/Kcr8sMNTI+fo4WgiNu3Cr+gtn+6rKclsMEQOvF4I195L4sVNe9Z /C3Gw4MKO29wbq/zq7+sLWgTOMFVL5b3104vzMadYQWGs6MEy9svW/zfLoP32zEhLlIU PrKA== X-Gm-Message-State: ALoCoQn7y9moCMsie+RTe3hCkTh596VQiK4akatvMysS+3M3ncYay8mcsDMl/l17bu3cHfXT/87h X-Received: by 10.107.3.101 with SMTP id 98mr43944490iod.182.1447778410258; Tue, 17 Nov 2015 08:40:10 -0800 (PST) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id wc5sm10000519igb.1.2015.11.17.08.40.09 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 17 Nov 2015 08:40:09 -0800 (PST) From: Seth Forshee To: "Eric W. Biederman" , Paul Moore , Stephen Smalley , Eric Paris Cc: Alexander Viro , Serge Hallyn , Andy Lutomirski , linux-kernel@vger.kernel.org, linux-bcache@vger.kernel.org, dm-devel@redhat.com, linux-raid@vger.kernel.org, linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, Seth Forshee , James Morris , "Serge E. Hallyn" Subject: [PATCH v3 5/7] selinux: Add support for unprivileged mounts from user namespaces Date: Tue, 17 Nov 2015 10:39:08 -0600 Message-Id: <1447778351-118699-6-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1447778351-118699-1-git-send-email-seth.forshee@canonical.com> References: <1447778351-118699-1-git-send-email-seth.forshee@canonical.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file objects, but also allow the policy writer to specify a different label through policy transition rules. Pieced together from code snippets provided by Stephen Smalley. Signed-off-by: Seth Forshee Acked-by: Stephen Smalley Acked-by: James Morris --- security/selinux/hooks.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index de05207eb665..09be1dc21e58 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } } + + /* + * If this is a user namespace mount, no contexts are allowed + * on the command line and security labels must be ignored. + */ + if (sb->s_user_ns != &init_user_ns) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; + goto out; + } + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; + rc = security_transition_sid(current_sid(), current_sid(), + SECCLASS_FILE, NULL, + &sbsec->mntpoint_sid); + if (rc) + goto out; + } + goto out_set_opts; + } + /* sets the context of the superblock for the fs being mounted. */ if (fscontext_sid) { rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); @@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, sbsec->def_sid = defcontext_sid; } +out_set_opts: rc = sb_finish_set_opts(sb); out: mutex_unlock(&sbsec->lock);