| Message ID | 20181213141739.8534-2-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | Fix SELinux context mount with the cgroup filesystem | expand |
Hello, On Thu, Dec 13, 2018 at 03:17:37PM +0100, Ondrej Mosnacek wrote: > This fixes the case where all mount options specified are consumed by an > LSM and all that's left is an empty string. In this case cgroupfs should > accept the string and not fail. > > How to reproduce (with SELinux enabled): > > # umount /sys/fs/cgroup/unified > # mount -o context=system_u:object_r:cgroup_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified > mount: /sys/fs/cgroup/unified: wrong fs type, bad option, bad superblock on cgroup2, missing codepage or helper program, or other error. > # dmesg | tail -n 1 > [ 31.575952] cgroup: cgroup2: unknown option "" > > Fixes: 67e9c74b8a87 ("cgroup: replace __DEVEL__sane_behavior with cgroup2 fs type") > [NOTE: should apply on top of commit 5136f6365ce3 ("cgroup: implement "nsdelegate" mount option"), older versions need manual rebase] > Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Applied to cgroup/for-4.21. Thanks.
Hi Tejun, On Thu, Dec 13, 2018 at 5:03 PM Tejun Heo <tj@kernel.org> wrote: > > Hello, > > On Thu, Dec 13, 2018 at 03:17:37PM +0100, Ondrej Mosnacek wrote: > > This fixes the case where all mount options specified are consumed by an > > LSM and all that's left is an empty string. In this case cgroupfs should > > accept the string and not fail. > > > > How to reproduce (with SELinux enabled): > > > > # umount /sys/fs/cgroup/unified > > # mount -o context=system_u:object_r:cgroup_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified > > mount: /sys/fs/cgroup/unified: wrong fs type, bad option, bad superblock on cgroup2, missing codepage or helper program, or other error. > > # dmesg | tail -n 1 > > [ 31.575952] cgroup: cgroup2: unknown option "" > > > > Fixes: 67e9c74b8a87 ("cgroup: replace __DEVEL__sane_behavior with cgroup2 fs type") > > [NOTE: should apply on top of commit 5136f6365ce3 ("cgroup: implement "nsdelegate" mount option"), older versions need manual rebase] > > Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > Applied to cgroup/for-4.21. I still can't see the patch in your for-4.21 branch [1] (and it doesn't seem to be included in your 4.21-rc1 pull request either [2]). Did you perhaps forget to apply it? [1] https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/log/?h=for-4.21 [2] https://lore.kernel.org/lkml/20181228021605.GI2509588@devbig004.ftw2.facebook.com/ Cheers, -- Ondrej Mosnacek <omosnace at redhat dot com> Associate Software Engineer, Security Technologies Red Hat, Inc.
On Fri, Dec 28, 2018 at 04:14:01PM +0100, Ondrej Mosnacek wrote: > > Applied to cgroup/for-4.21. > > I still can't see the patch in your for-4.21 branch [1] (and it > doesn't seem to be included in your 4.21-rc1 pull request either [2]). > Did you perhaps forget to apply it? Indeed. I'll amend the pull request. Thanks.
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c index 6aaf5dd5383b..8cb616232035 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -1744,7 +1744,7 @@ static int parse_cgroup_root_flags(char *data, unsigned int *root_flags) *root_flags = 0; - if (!data) + if (!data || *data == '\0') return 0; while ((token = strsep(&data, ",")) != NULL) {
This fixes the case where all mount options specified are consumed by an LSM and all that's left is an empty string. In this case cgroupfs should accept the string and not fail. How to reproduce (with SELinux enabled): # umount /sys/fs/cgroup/unified # mount -o context=system_u:object_r:cgroup_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified mount: /sys/fs/cgroup/unified: wrong fs type, bad option, bad superblock on cgroup2, missing codepage or helper program, or other error. # dmesg | tail -n 1 [ 31.575952] cgroup: cgroup2: unknown option "" Fixes: 67e9c74b8a87 ("cgroup: replace __DEVEL__sane_behavior with cgroup2 fs type") [NOTE: should apply on top of commit 5136f6365ce3 ("cgroup: implement "nsdelegate" mount option"), older versions need manual rebase] Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- kernel/cgroup/cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)