From patchwork Wed Sep 16 20:02:43 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7199031 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 3CB38BEEC1 for ; Wed, 16 Sep 2015 20:04:42 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 1B39B205D6 for ; Wed, 16 Sep 2015 20:04:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 28E3D2026F for ; Wed, 16 Sep 2015 20:04:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753824AbbIPUEX (ORCPT ); Wed, 16 Sep 2015 16:04:23 -0400 Received: from mail-ig0-f178.google.com ([209.85.213.178]:36343 "EHLO mail-ig0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753804AbbIPUD6 (ORCPT ); Wed, 16 Sep 2015 16:03:58 -0400 Received: by igcrk20 with SMTP id rk20so42088310igc.1 for ; Wed, 16 Sep 2015 13:03:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Yb3GiXxyE6Gzp7Lj+oa4VA/Jb0RHVFJN5/8qJWDMu0A=; b=iAz7PwYrYAkfpUjpsktMniatMCR1FP+ISvbe1G6P0/aDF5BC031Mgpg+j0y2XroER9 7eARc/t7zbRzUO/f+X7QSdlkTBz9WcGY9qBs+ohm2td2Gs7NYXI4eVaNQvhQdomicIGB raqPUST6/yZyubOu0eIzeHrcrh8zFNEls9xlfaDkNceXya2bYBPK1RFQdH3qduR2sD2h 0qDr2YjjXmouL3YX3xX22d7Rn17AjG0f3kBhR9YUe2GaEABuQ5y0ywqMfDEPNt8HSP9K 8iMLTvRVzYrFDdLq2eC4HgLpaWWQ4woe5qyu6E6oTyGphylrp1uDil1fV3LvFUYfKDma lNag== X-Gm-Message-State: ALoCoQli2E1XbmWEN+VJG4p+ziS8CsdMdFl7HIzYbmHlO+a3+RduB9vPZJifsrRLg1xkPYkSY7rG X-Received: by 10.50.85.20 with SMTP id d20mr19534125igz.77.1442433838161; Wed, 16 Sep 2015 13:03:58 -0700 (PDT) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id s36sm95628ioi.21.2015.09.16.13.03.57 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 16 Sep 2015 13:03:57 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Alexander Viro , Paul Moore , Stephen Smalley , Eric Paris Cc: Serge Hallyn , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org, Seth Forshee , James Morris , "Serge E. Hallyn" Subject: [PATCH v3 7/7] selinux: Add support for unprivileged mounts from user namespaces Date: Wed, 16 Sep 2015 15:02:43 -0500 Message-Id: <1442433764-80826-8-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1442433764-80826-1-git-send-email-seth.forshee@canonical.com> References: <1442433764-80826-1-git-send-email-seth.forshee@canonical.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file objects, but also allow the policy writer to specify a different label through policy transition rules. Pieced together from code snippets provided by Stephen Smalley. Signed-off-by: Seth Forshee --- security/selinux/hooks.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index de05207eb665..09be1dc21e58 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } } + + /* + * If this is a user namespace mount, no contexts are allowed + * on the command line and security labels must be ignored. + */ + if (sb->s_user_ns != &init_user_ns) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; + goto out; + } + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; + rc = security_transition_sid(current_sid(), current_sid(), + SECCLASS_FILE, NULL, + &sbsec->mntpoint_sid); + if (rc) + goto out; + } + goto out_set_opts; + } + /* sets the context of the superblock for the fs being mounted. */ if (fscontext_sid) { rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); @@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, sbsec->def_sid = defcontext_sid; } +out_set_opts: rc = sb_finish_set_opts(sb); out: mutex_unlock(&sbsec->lock);