From patchwork Wed Sep 23 20:16:07 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7252261 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id B0468BF036 for ; Wed, 23 Sep 2015 20:16:57 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id DE1D620A1C for ; Wed, 23 Sep 2015 20:16:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EBAB520A30 for ; Wed, 23 Sep 2015 20:16:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755186AbbIWUQq (ORCPT ); Wed, 23 Sep 2015 16:16:46 -0400 Received: from mail-io0-f169.google.com ([209.85.223.169]:35235 "EHLO mail-io0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755128AbbIWUQl (ORCPT ); Wed, 23 Sep 2015 16:16:41 -0400 Received: by ioiz6 with SMTP id z6so54998602ioi.2 for ; Wed, 23 Sep 2015 13:16:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Yb3GiXxyE6Gzp7Lj+oa4VA/Jb0RHVFJN5/8qJWDMu0A=; b=Ui/7j3nShYmIDE8zPTW2FEl/QEkWnErIur6lrHfYVNSRn0vSPtCvu27rYWPi/mlyN1 P0pG/Py9v8cL6zH/Z0+zb7ioar0VXbecArDOMxQBXTbgd0zngRSqTrbiAyzBVAjFj631 5wF7HuyVBKbpUGiUzfZZPF4eFpBi27+XKjqhVxZFAMxs6+OxQT805dSm0W4i3xSMdbcu AwzyXDZ24eM83DLP/EooSltzXn7oQLuEATZhdmzLYMP6fmr8Q9e0YqnKLqoB5+qgtaSa 6XIA6pGLDnYJVYWVhG81AxF7u9VFmWI+Yh1WWGyr5TXRJcXJJAuM4k52prBffz3z4Qst LyQA== X-Gm-Message-State: ALoCoQlPqCiilI35fqa6iJVq3CrU1bs9b+8nLv069YpglmAVfDEM0WKKk84EhuNz5JpGeBAEzQv2 X-Received: by 10.107.153.211 with SMTP id b202mr40770176ioe.177.1443039400797; Wed, 23 Sep 2015 13:16:40 -0700 (PDT) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id n68sm4198091ion.26.2015.09.23.13.16.39 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 23 Sep 2015 13:16:40 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Alexander Viro , Paul Moore , Stephen Smalley , Eric Paris Cc: Serge Hallyn , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org, Seth Forshee , James Morris , "Serge E. Hallyn" Subject: [PATCH v4 7/7] selinux: Add support for unprivileged mounts from user namespaces Date: Wed, 23 Sep 2015 15:16:07 -0500 Message-Id: <1443039368-55445-8-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1443039368-55445-1-git-send-email-seth.forshee@canonical.com> References: <1443039368-55445-1-git-send-email-seth.forshee@canonical.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file objects, but also allow the policy writer to specify a different label through policy transition rules. Pieced together from code snippets provided by Stephen Smalley. Signed-off-by: Seth Forshee --- security/selinux/hooks.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index de05207eb665..09be1dc21e58 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } } + + /* + * If this is a user namespace mount, no contexts are allowed + * on the command line and security labels must be ignored. + */ + if (sb->s_user_ns != &init_user_ns) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; + goto out; + } + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; + rc = security_transition_sid(current_sid(), current_sid(), + SECCLASS_FILE, NULL, + &sbsec->mntpoint_sid); + if (rc) + goto out; + } + goto out_set_opts; + } + /* sets the context of the superblock for the fs being mounted. */ if (fscontext_sid) { rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); @@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, sbsec->def_sid = defcontext_sid; } +out_set_opts: rc = sb_finish_set_opts(sb); out: mutex_unlock(&sbsec->lock);