| Message ID | 1444755861-54997-6-git-send-email-seth.forshee@canonical.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 10/13/2015 01:04 PM, Seth Forshee wrote: > Security labels from unprivileged mounts in user namespaces must > be ignored. Force superblocks from user namespaces whose labeling > behavior is to use xattrs to use mountpoint labeling instead. > For the mountpoint label, default to converting the current task > context into a form suitable for file objects, but also allow the > policy writer to specify a different label through policy > transition rules. > > Pieced together from code snippets provided by Stephen Smalley. > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > security/selinux/hooks.c | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index de05207eb665..09be1dc21e58 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, > goto out; > } > } > + > + /* > + * If this is a user namespace mount, no contexts are allowed > + * on the command line and security labels must be ignored. > + */ > + if (sb->s_user_ns != &init_user_ns) { > + if (context_sid || fscontext_sid || rootcontext_sid || > + defcontext_sid) { > + rc = -EACCES; > + goto out; > + } > + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { > + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; > + rc = security_transition_sid(current_sid(), current_sid(), > + SECCLASS_FILE, NULL, > + &sbsec->mntpoint_sid); > + if (rc) > + goto out; > + } > + goto out_set_opts; > + } > + > /* sets the context of the superblock for the fs being mounted. */ > if (fscontext_sid) { > rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); > @@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, > sbsec->def_sid = defcontext_sid; > } > > +out_set_opts: > rc = sb_finish_set_opts(sb); > out: > mutex_unlock(&sbsec->lock); > -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index de05207eb665..09be1dc21e58 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } } + + /* + * If this is a user namespace mount, no contexts are allowed + * on the command line and security labels must be ignored. + */ + if (sb->s_user_ns != &init_user_ns) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; + goto out; + } + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; + rc = security_transition_sid(current_sid(), current_sid(), + SECCLASS_FILE, NULL, + &sbsec->mntpoint_sid); + if (rc) + goto out; + } + goto out_set_opts; + } + /* sets the context of the superblock for the fs being mounted. */ if (fscontext_sid) { rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); @@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, sbsec->def_sid = defcontext_sid; } +out_set_opts: rc = sb_finish_set_opts(sb); out: mutex_unlock(&sbsec->lock);
Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file objects, but also allow the policy writer to specify a different label through policy transition rules. Pieced together from code snippets provided by Stephen Smalley. Signed-off-by: Seth Forshee <seth.forshee@canonical.com> --- security/selinux/hooks.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)