From patchwork Mon Dec 7 21:21:13 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7792631 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 1DE779F350 for ; Mon, 7 Dec 2015 22:53:52 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 7053020573 for ; Mon, 7 Dec 2015 22:53:51 +0000 (UTC) Received: from emvm-gh1-uea09.nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9148C2056E for ; Mon, 7 Dec 2015 22:53:50 +0000 (UTC) X-TM-IMSS-Message-ID: <3e993d3700007e51@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id 3e993d3700007e51 ; Mon, 7 Dec 2015 17:53:31 -0500 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB7Mpemk009458; Mon, 7 Dec 2015 17:51:44 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id tB7LQWV1263188 for ; Mon, 7 Dec 2015 16:26:32 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB7LNOq4001405 for ; Mon, 7 Dec 2015 16:26:32 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1CeBABD9WVW/6/VVdFeGQEBAQEPAQEBAYRLuxeEFoYOAoITAQEBAQEBhUABAQEDEhUZAQE3AQ9RNAEFARwGARIiiA2iR4ExPjGKV4VUAQWLdQEBAQEBBQIBGgYKhDqCEI44jiSIQpZNkg82gRdjggRAgV9TAYVuAQEB X-IPAS-Result: A1CeBABD9WVW/6/VVdFeGQEBAQEPAQEBAYRLuxeEFoYOAoITAQEBAQEBhUABAQEDEhUZAQE3AQ9RNAEFARwGARIiiA2iR4ExPjGKV4VUAQWLdQEBAQEBBQIBGgYKhDqCEI44jiSIQpZNkg82gRdjggRAgV9TAYVuAQEB X-IronPort-AV: E=Sophos;i="5.20,396,1444708800"; d="scan'208";a="5004898" Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193]) by goalie.tycho.ncsc.mil with ESMTP; 07 Dec 2015 16:23:23 -0500 X-TM-IMSS-Message-ID: <3e4e7c0900028016@nsa.gov> Received: from mail-ig0-f175.google.com (mail-ig0-f175.google.com [209.85.213.175]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 3e4e7c0900028016 ; Mon, 7 Dec 2015 16:23:20 -0500 Received: by igbxm8 with SMTP id xm8so2859743igb.1 for ; Mon, 07 Dec 2015 13:23:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=2FzR9q4tqruOs2lLpG2mLGvytCvPgm6/p9dT4VlqO+4=; b=PpMYw65qguE8/Sr9NCDuw0VXYF51I910PAsUkwGCHfXU09iZQkkqSXVjqpa6aF+RJM eu3VEIx651g8vKuIawBxhq+dKaPi6SMOfsxYY6fbHSDWwjdbeKX/C7G8DB7HJjpCdpYB UHkJh6elFImUDj+X3dCmGY5Nlnb8Te+R2qrvBXcdFnWcokXLDki7rtpRTyHAU3Cov4uB GTkY6N7RY+CvOEZWnl9uxvn7+QxelBiGZO2/5ffeaml9EDYQDO5XVpmjYaPWDTIF9S3S AVgOLGu/weeqWJtayDWn6FRVHe2hs4/IEyuu6xEUMid1NFtDN1qLEjjzbBaT4ZBqocaP cTFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2FzR9q4tqruOs2lLpG2mLGvytCvPgm6/p9dT4VlqO+4=; b=WVtoIBakO5qbyCnVWydiZ1J61P4wUoRW2D1puYpGextbNW2y0RjfFLdgpfpFL3gU8r GzcSJCtrQiChVfKEKAjQYDU8i0erL+JIxtSaoXfZqSsZtEBcSZjCMdIe7PlKXsbAjTyV 00wre7CjsCL561/7zm7Yw+x7uFDMmpaUvhSDG/JIcsavkl81Da0JnLrk0mCRd5elS4Gu 3tZeqlcHllXa3b794QTEh8oF2WZgsOfEmef3q9W0igHpvhX1qBZSJLIwxqCUo0HQ9bgw 0sk8bMSrJ7RFmZUxzxenO0dlK7HNgstcOot4+h9BDVP3n9c0PGRILtGOENNLDOpaAVIE srdw== X-Gm-Message-State: ALoCoQm1PDfcuqDNZB7vzBZa0Zdj9IAqyN5o/aG9XdX3EkAFsj59KamjmYCEXJe3cQQuGZZR5gMJkVBIdZAF4kHsVds1z7xZ4Q== X-Received: by 10.50.83.101 with SMTP id p5mr489053igy.39.1449523401709; Mon, 07 Dec 2015 13:23:21 -0800 (PST) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id g19sm229765ioe.2.2015.12.07.13.23.21 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 07 Dec 2015 13:23:21 -0800 (PST) From: Seth Forshee To: "Eric W. Biederman" , Paul Moore , Stephen Smalley , Eric Paris Subject: [PATCH v2 04/18] selinux: Add support for unprivileged mounts from user namespaces Date: Mon, 7 Dec 2015 15:21:13 -0600 Message-Id: <1449523289-144238-5-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1449523289-144238-1-git-send-email-seth.forshee@canonical.com> References: <1449523289-144238-1-git-send-email-seth.forshee@canonical.com> X-TM-AS-MML: disable X-Mailman-Approved-At: Mon, 07 Dec 2015 16:44:28 -0500 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Serge Hallyn , Seth Forshee , James Morris , dm-devel@redhat.com, Miklos Szeredi , Richard Weinberger , linux-security-module@vger.kernel.org, linux-bcache@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file objects, but also allow the policy writer to specify a different label through policy transition rules. Pieced together from code snippets provided by Stephen Smalley. Signed-off-by: Seth Forshee Acked-by: Stephen Smalley Acked-by: James Morris --- security/selinux/hooks.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a5b93df6553f..5fedc36dd6b2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } } + + /* + * If this is a user namespace mount, no contexts are allowed + * on the command line and security labels must be ignored. + */ + if (sb->s_user_ns != &init_user_ns) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; + goto out; + } + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; + rc = security_transition_sid(current_sid(), current_sid(), + SECCLASS_FILE, NULL, + &sbsec->mntpoint_sid); + if (rc) + goto out; + } + goto out_set_opts; + } + /* sets the context of the superblock for the fs being mounted. */ if (fscontext_sid) { rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); @@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, sbsec->def_sid = defcontext_sid; } +out_set_opts: rc = sb_finish_set_opts(sb); out: mutex_unlock(&sbsec->lock);