From patchwork Mon Jan  4 18:03:56 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 7950331
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id D4108BEEE5
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  4 Jan 2016 18:54:30 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 2E61120306
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  4 Jan 2016 18:54:30 +0000 (UTC)
Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id EF2B520304
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  4 Jan 2016 18:54:28 +0000 (UTC)
X-TM-IMSS-Message-ID: <75e2d19c0010474a@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	75e2d19c0010474a ; Mon, 4 Jan 2016 13:52:27 -0500
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u04IpSP9018646;
	Mon, 4 Jan 2016 13:51:30 -0500
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u04I4nrK225807 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 4 Jan 2016 13:04:49 -0500
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u04I4gpL013588
	for <selinux@tycho.nsa.gov>; Mon, 4 Jan 2016 13:04:49 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1DxAAAys4pWlKrVVdFeGQEBAQEPAQEBAYRJiFm1aIYPAoFoAQEBAQEBEgEBAQEHCwsJH4RlAQEBAxIVGQEBNwEPUTQBBQEcBgESIogNok6BMT4xileFVAEFjB4BAQEBAQEBAwIBGgYKhDuCEYkjhRiONYhWlmqFYkSMKjWBF4JoDRUHHYFfUwGDRIFLAQEB
X-IPAS-Result: 
 A1DxAAAys4pWlKrVVdFeGQEBAQEPAQEBAYRJiFm1aIYPAoFoAQEBAQEBEgEBAQEHCwsJH4RlAQEBAxIVGQEBNwEPUTQBBQEcBgESIogNok6BMT4xileFVAEFjB4BAQEBAQEBAwIBGgYKhDuCEYkjhRiONYhWlmqFYkSMKjWBF4JoDRUHHYFfUwGDRIFLAQEB
X-IronPort-AV: E=Sophos;i="5.20,521,1444708800"; d="scan'208";a="5070765"
Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193])
	by goalie.tycho.ncsc.mil with ESMTP; 04 Jan 2016 13:04:48 -0500
X-TM-IMSS-Message-ID: <75b6ceec001034b5@nsa.gov>
Received: from mail-ig0-f170.google.com (mail-ig0-f170.google.com
	[209.85.213.170]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS
	SMTP
	Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 75b6ceec001034b5 ;
	Mon, 4 Jan 2016 13:04:23 -0500
Received: by mail-ig0-f170.google.com with SMTP id ph11so250382872igc.1
	for <selinux@tycho.nsa.gov>; Mon, 04 Jan 2016 10:04:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=I+tV0Zq7I/ToVMjVRbG3e6g2zXzphJvZzM2RbyWhZSM=;
	b=tU8EOcqo6f0DBd3I11TRJzzbjqw4FvanAjQx/FpUCGtWFAKZf4Y1mzED2a2TjzOUxj
	OlOdLaDuC9d3Fia/Qo6gy4E2+OQDjj5OJs8cWZCYBGxv9U+pT5w7wF9bF8PEIupddN4g
	ct3BBBI7B1Vf3jYJKfD/WYlgfUmsaSFivYO1xZZ0FojvrPlp0yssK8eEViL+kWMr6BZa
	QKvjn9QFp/i3QLpNeBjPtrmMNbmKa4zOt83g8CrXKLpOpyANzw2xHf3rFbCoQDmXuZFB
	Myi6+LZJWuVsIoAV7eIPPjw02Z3NDFQDHn8PReMSLqJtNo/knOd/b4XCj0iH3+sI7A8t
	26zQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=I+tV0Zq7I/ToVMjVRbG3e6g2zXzphJvZzM2RbyWhZSM=;
	b=AxAu5jxVMOKxb/xWsYQ28p6e9LEe7XggAQjsw+9SI2i/LuHbbxqfjRVWLyMVtdTDYC
	RjMpEEuI/tPdc+OvKOJL6Cx4jBeF1dI12NhlQmZ3Orw3vCjpVDpWP6AAwGYPJdtPqLeJ
	rMHa5HNBevnIkwCke9mmdB/qbMv3LmDxVSfV3/L8ycXUZdBTKXF28LAOHjyVVU/TJbjL
	BngHSSGqFWe6k48wd1p81pxWtv086O5jGPj4iTLY+xsRys05DMleqVhtUyiRo1zd3Y5/
	oiiKFqWVJ5xUEqFED/Yme92Tq5Xr5MQg4eryHjGX0abEet0R/HDuWWiCPoHRjxWHF1D3
	GIDg==
X-Gm-Message-State: 
 ALoCoQnv/v5dPOoQnGV77LKDhKwVEyAzlk5FIKCXCgty1mvnaz7ttQtF1YaHfjxblaxMgI4UhY6IVvXkzfuIYsKOIiwNEshSGQ==
X-Received: by 10.50.150.100 with SMTP id uh4mr63748152igb.45.1451930686910;
	Mon, 04 Jan 2016 10:04:46 -0800 (PST)
Received: from localhost ([66.64.121.229]) by smtp.gmail.com with ESMTPSA id
	j136sm10754486ioj.32.2016.01.04.10.04.46
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Mon, 04 Jan 2016 10:04:46 -0800 (PST)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Miklos Szeredi <miklos@szeredi.hu>
Subject: [PATCH RESEND v2 17/18] fuse: Restrict allow_other to the
	superblock's namespace or a descendant
Date: Mon,  4 Jan 2016 12:03:56 -0600
Message-Id: <1451930639-94331-18-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com>
References: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com>
X-TM-AS-MML: disable
X-Mailman-Approved-At: Mon, 04 Jan 2016 13:14:22 -0500
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
	Seth Forshee <seth.forshee@canonical.com>, dm-devel@redhat.com,
	linux-security-module@vger.kernel.org,
	Richard Weinberger <richard.weinberger@gmail.com>,
	linux-bcache@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	linux-mtd@lists.infradead.org,
	Alexander Viro <viro@zeniv.linux.org.uk>, selinux@tycho.nsa.gov,
	linux-fsdevel@vger.kernel.org
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Unprivileged users are normally restricted from mounting with the
allow_other option by system policy, but this could be bypassed
for a mount done with user namespace root permissions. In such
cases allow_other should not allow users outside the userns
to access the mount as doing so would give the unprivileged user
the ability to manipulate processes it would otherwise be unable
to manipulate. Restrict allow_other to apply to users in the same
userns used at mount or a descendant of that namespace.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/fuse/dir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 8fd9fe4dcd43..24e4cdb554f1 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1015,7 +1015,7 @@ int fuse_allow_current_process(struct fuse_conn *fc)
 	const struct cred *cred;
 
 	if (fc->flags & FUSE_ALLOW_OTHER)
-		return 1;
+		return current_in_userns(fc->user_ns);
 
 	cred = current_cred();
 	if (uid_eq(cred->euid, fc->user_id) &&