From patchwork Mon Jan 4 18:03:43 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7950061 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 56CEA9F1C0 for ; Mon, 4 Jan 2016 18:26:10 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id A858E2021B for ; Mon, 4 Jan 2016 18:26:09 +0000 (UTC) Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C4856201E4 for ; Mon, 4 Jan 2016 18:26:08 +0000 (UTC) X-TM-IMSS-Message-ID: <75c87ce700103d2a@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id 75c87ce700103d2a ; Mon, 4 Jan 2016 13:23:42 -0500 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u04IMp00015478; Mon, 4 Jan 2016 13:22:53 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u04I4Ick225735 for ; Mon, 4 Jan 2016 13:04:18 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u04I4Bed013312 for ; Mon, 4 Jan 2016 13:04:19 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1CSAAAys4pWm6zVVdFeGQEBAQEPAQEBAYRJiFm1aIYPAoFoAQEBAQEBEgEBAQEBBgsLCSGEYwEBAQMSFRkBATcBD1E0AQUBHAYBEiKIDaJOgTE+MYpXhVQBBYweAQEBAQEFAgEaBgqEO4IRjjuONYhWlmqFYoxuNYEXgmgiJIFfUwGFDwEBAQ X-IPAS-Result: A1CSAAAys4pWm6zVVdFeGQEBAQEPAQEBAYRJiFm1aIYPAoFoAQEBAQEBEgEBAQEBBgsLCSGEYwEBAQMSFRkBATcBD1E0AQUBHAYBEiKIDaJOgTE+MYpXhVQBBYweAQEBAQEFAgEaBgqEO4IRjjuONYhWlmqFYoxuNYEXgmgiJIFfUwGFDwEBAQ X-IronPort-AV: E=Sophos;i="5.20,521,1444708800"; d="scan'208";a="5070748" Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193]) by goalie.tycho.ncsc.mil with ESMTP; 04 Jan 2016 13:04:18 -0500 X-TM-IMSS-Message-ID: <75b658280010346e@nsa.gov> Received: from mail-ig0-f172.google.com (mail-ig0-f172.google.com [209.85.213.172]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 75b658280010346e ; Mon, 4 Jan 2016 13:03:53 -0500 Received: by mail-ig0-f172.google.com with SMTP id mw1so109130197igb.1 for ; Mon, 04 Jan 2016 10:04:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=2FzR9q4tqruOs2lLpG2mLGvytCvPgm6/p9dT4VlqO+4=; b=rLYWZQ3feb6lv/AwHeNnReVm/hVm8xZfVrh8Q5zIGJkGGA/VY+FrNJ5KvWehGS2xi8 hKbr0DDkMDhjgsEQP2vHNoXMvOLzFu8UxzgJ90qBQ5UQzhSILXrsc+uzgfDEkKNovpfp WXy4p+dvzetDAmwXpTmhZBUvKdhganLuJPSIggdEki0WEpXyQUEdZAbR3W18NS8cPcty COLu72baR6CNJdH6j6Z7zjsH9Eyy1Wq84aymvWpErj/RjEJ8ZDRUWmoLlFZVQ0/MO8Pe svUMhpwFhiT8KKnfSI9RGW3LztrNjgSATnEEig/k9MnoZzWfv5fkSYimOOwyDBUZ76y/ qymg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2FzR9q4tqruOs2lLpG2mLGvytCvPgm6/p9dT4VlqO+4=; b=lUoHLfjf1eQz2ZnKMY66LQSvAgRLLCUVEDsHW7k977vYUJ3A8TwyIPpzZnyQaYgOjw tSzYinPrCby683gL2iohTPTOYbZGHZ6zzctLEf6p7GmDQk7loksJznkeewRRKuXX3dad mdABU8DHSBflCnNUAgVeiDS9iVwzK6Z9NNnbvbsTHJieeA4x9lH7F0uhVXhj5yn6KRzH +uAKgUjrHjAaqyqYIrzCRWzwQlgo0t00yY+Y3UliJoNFW9FtAuOPp9ZVuCdqKaf06MKM ysGcHOKdFpksahcCCVycLdwDTE+NrQjbLCKsaNs+CQmx8MLMXfasct1GtwU1x4oVsu54 /TPQ== X-Gm-Message-State: ALoCoQlnP1rY2cyRpHsI+yPZEX2gxu9XTpIgauFe/mFRJJUfqX2rTUgxUBVFywTv300af1zPYkfQRC/Fo6luI0KNp0WNRrcAqA== X-Received: by 10.50.150.71 with SMTP id ug7mr64184960igb.4.1451930655957; Mon, 04 Jan 2016 10:04:15 -0800 (PST) Received: from localhost ([66.64.121.229]) by smtp.gmail.com with ESMTPSA id d9sm30430449igx.5.2016.01.04.10.04.15 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 04 Jan 2016 10:04:15 -0800 (PST) From: Seth Forshee To: "Eric W. Biederman" , Paul Moore , Stephen Smalley , Eric Paris Subject: [PATCH RESEND v2 04/18] selinux: Add support for unprivileged mounts from user namespaces Date: Mon, 4 Jan 2016 12:03:43 -0600 Message-Id: <1451930639-94331-5-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com> References: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com> X-TM-AS-MML: disable X-Mailman-Approved-At: Mon, 04 Jan 2016 13:14:22 -0500 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-bcache@vger.kernel.org, Serge Hallyn , Seth Forshee , James Morris , dm-devel@redhat.com, Miklos Szeredi , Richard Weinberger , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file objects, but also allow the policy writer to specify a different label through policy transition rules. Pieced together from code snippets provided by Stephen Smalley. Signed-off-by: Seth Forshee Acked-by: Stephen Smalley Acked-by: James Morris --- security/selinux/hooks.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a5b93df6553f..5fedc36dd6b2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } } + + /* + * If this is a user namespace mount, no contexts are allowed + * on the command line and security labels must be ignored. + */ + if (sb->s_user_ns != &init_user_ns) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; + goto out; + } + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; + rc = security_transition_sid(current_sid(), current_sid(), + SECCLASS_FILE, NULL, + &sbsec->mntpoint_sid); + if (rc) + goto out; + } + goto out_set_opts; + } + /* sets the context of the superblock for the fs being mounted. */ if (fscontext_sid) { rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); @@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, sbsec->def_sid = defcontext_sid; } +out_set_opts: rc = sb_finish_set_opts(sb); out: mutex_unlock(&sbsec->lock);