From patchwork Mon Dec  7 21:21:26 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 7791511
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id CFB979F1C2
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  7 Dec 2015 22:13:44 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 29B102055B
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  7 Dec 2015 22:13:44 +0000 (UTC)
Received: from emvm-gh1-uea09.nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 52CBC20497
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  7 Dec 2015 22:13:43 +0000 (UTC)
X-TM-IMSS-Message-ID: <3e7497b400007bc3@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	3e7497b400007bc3 ; Mon, 7 Dec 2015 17:13:30 -0500
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB7MBm6x005968;
	Mon, 7 Dec 2015 17:11:48 -0500
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	tB7LQXuS263195 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 7 Dec 2015 16:26:33 -0500
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB7LNOqC001405
	for <selinux@tycho.nsa.gov>; Mon, 7 Dec 2015 16:26:32 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1CeBABD9WVW/7XfVdFeGQEBAQEPAQEBAYRLuxeEFoYOAoITAQEBAQEBhUABAQEDEhUZAQE3AQ9RNAEFARwGARIiiA2iR4ExPjGKV4VUAQWLdQEBAQEBAQEDAgEaBgqEOoIQiSWFE44kiEKWTYYhi242gRdjggQNHRaBX1MBhCSBSgEBAQ
X-IPAS-Result: 
 A1CeBABD9WVW/7XfVdFeGQEBAQEPAQEBAYRLuxeEFoYOAoITAQEBAQEBhUABAQEDEhUZAQE3AQ9RNAEFARwGARIiiA2iR4ExPjGKV4VUAQWLdQEBAQEBAQEDAgEaBgqEOoIQiSWFE44kiEKWTYYhi242gRdjggQNHRaBX1MBhCSBSgEBAQ
X-IronPort-AV: E=Sophos;i="5.20,396,1444708800"; d="scan'208";a="5004914"
Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193])
	by goalie.tycho.ncsc.mil with ESMTP; 07 Dec 2015 16:23:45 -0500
X-TM-IMSS-Message-ID: <3e4ed43600028038@nsa.gov>
Received: from mail-io0-f181.google.com (mail-io0-f181.google.com
	[209.85.223.181]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS
	SMTP
	Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 3e4ed43600028038 ;
	Mon, 7 Dec 2015 16:23:42 -0500
Received: by ioir85 with SMTP id r85so4072083ioi.1
	for <selinux@tycho.nsa.gov>; Mon, 07 Dec 2015 13:23:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=I+tV0Zq7I/ToVMjVRbG3e6g2zXzphJvZzM2RbyWhZSM=;
	b=K7QUV1MwMOwocKDF5GUVvLUhil7kIA1ZgcKljxslGY1XHyHwWIcYBbLGO0lyzXsr7X
	w52kXhXtkdxbJlvWeXWiol0K1v8OncwnNBdWeaqBBlhuvCI/r71VKWQEcq6BqaB1CsC2
	93Lx7zkhvPioVQteguWC3hxKJPHiLRZph+V8eklua490Bdn5aZQSOhjyr/II9PSqzWMk
	MGu+gFZnJ9Fvwa1MmCSDWIo1V2g5mwRRc1x+HsHos5SiEzZ1Bz8mCp7UrP5rLPUQx/z4
	JApvyVhlYafE1TtVbR1DG6/Cs0GrJDRUr9qh+DrlFKSLiHTgEN3/AO8a2dOrWzlxYmGF
	flYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=I+tV0Zq7I/ToVMjVRbG3e6g2zXzphJvZzM2RbyWhZSM=;
	b=kAsOf4AXPZ4yOCgkRy/GYnydUCHHwIu4YPr75oJQ64pL/dBamvKK2sjQNl2ny7A6UJ
	ZOx9UfAz1gfj7kXQBHF/YMn5tplK5eXIofrN8pJh6W9UMWofV6+50bs4etXRBS5XH+2Y
	PDEwTlnf3QhvaWva2gcPrKteYiAbq3I9y3sYZrOVexsBs4FAlBznSkRP75Z6ZkKq9Onu
	aP5AW1v1D1tdR56eV+BBhgXZcDho+zY4h2t0xIFjC/rVM9cRztyYi02IdhEfsf2dKzRv
	F3k5o9gtCHiDnNyAVcd1jLmOB2O/0NB7MEZxIjg3pDHBMA8irFqL6GlWDBNLmZiLdyt8
	Yzzg==
X-Gm-Message-State: 
 ALoCoQlF+bLBCk/dhT8yz+EjWnlwxSHO5DpsOYsXeTQy4QQ/OZN/GllcM9OCn0ZaAiVPI4ROeoynmv6kGafI2Io6F+P3wddYNA==
X-Received: by 10.107.17.160 with SMTP id 32mr601458ior.28.1449523424331;
	Mon, 07 Dec 2015 13:23:44 -0800 (PST)
Received: from localhost (199-87-125-144.dyn.kc.surewest.net.
	[199.87.125.144]) by smtp.gmail.com with ESMTPSA id
	l41sm205505iod.34.2015.12.07.13.23.43
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Mon, 07 Dec 2015 13:23:43 -0800 (PST)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Miklos Szeredi <miklos@szeredi.hu>
Subject: [PATCH v2 17/18] fuse: Restrict allow_other to the superblock's
	namespace or a descendant
Date: Mon,  7 Dec 2015 15:21:26 -0600
Message-Id: <1449523289-144238-18-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1449523289-144238-1-git-send-email-seth.forshee@canonical.com>
References: <1449523289-144238-1-git-send-email-seth.forshee@canonical.com>
X-TM-AS-MML: disable
X-Mailman-Approved-At: Mon, 07 Dec 2015 16:44:28 -0500
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
	Seth Forshee <seth.forshee@canonical.com>, dm-devel@redhat.com,
	linux-security-module@vger.kernel.org,
	Richard Weinberger <richard.weinberger@gmail.com>,
	linux-bcache@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	linux-mtd@lists.infradead.org,
	Alexander Viro <viro@zeniv.linux.org.uk>, selinux@tycho.nsa.gov,
	linux-fsdevel@vger.kernel.org
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Unprivileged users are normally restricted from mounting with the
allow_other option by system policy, but this could be bypassed
for a mount done with user namespace root permissions. In such
cases allow_other should not allow users outside the userns
to access the mount as doing so would give the unprivileged user
the ability to manipulate processes it would otherwise be unable
to manipulate. Restrict allow_other to apply to users in the same
userns used at mount or a descendant of that namespace.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
---
 fs/fuse/dir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 8fd9fe4dcd43..24e4cdb554f1 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1015,7 +1015,7 @@ int fuse_allow_current_process(struct fuse_conn *fc)
 	const struct cred *cred;
 
 	if (fc->flags & FUSE_ALLOW_OTHER)
-		return 1;
+		return current_in_userns(fc->user_ns);
 
 	cred = current_cred();
 	if (uid_eq(cred->euid, fc->user_id) &&