From patchwork Wed Sep 30 20:15:12 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 7302451
Return-Path: <linux-fsdevel-owner@kernel.org>
X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id A251E9F506
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 30 Sep 2015 20:17:03 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id D3F96206F9
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 30 Sep 2015 20:17:02 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id EDE2A206F7
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 30 Sep 2015 20:17:01 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932825AbbI3UQ6 (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Wed, 30 Sep 2015 16:16:58 -0400
Received: from mail-ig0-f182.google.com ([209.85.213.182]:33522 "EHLO
	mail-ig0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932829AbbI3UPv (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Wed, 30 Sep 2015 16:15:51 -0400
Received: by igbkq10 with SMTP id kq10so2244902igb.0
	for <linux-fsdevel@vger.kernel.org>;
	Wed, 30 Sep 2015 13:15:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=Yb3GiXxyE6Gzp7Lj+oa4VA/Jb0RHVFJN5/8qJWDMu0A=;
	b=g/N1RutXLZFKDnTlaTPJY8TIDqimLZ4VucM/ZvBVftQ/dztly8PkOOTl8vUEPNM8u9
	ZOc3QflXfmmUKKYSwTEJm1cDoFeGDjDzYYLCWbsM+oLiw/V/x1cLRgBJtEPS8+OnxjzK
	ObKS2nEZNvJNi+I/aDCgSoA9fNMzkPWVVJjpDYdAJoMpXr6EwPsCgBt1UtQ/Rwtd/E+p
	wGqgUhJLXlXllC0Djok5UlFFooIvBLE9Fj5OlgQPhGQmDw1SB99qyjDluJMT7XIbL4OQ
	BMdfdiwAj0kKilAbN+vKX5TOLCe7uUq3drIz7kvsYUs0Ad/AEh5sfUpZKqCcdPNkUR+J
	EOng==
X-Gm-Message-State: 
 ALoCoQl4wr23bnhDqA1wMoM1NOD+LTA8EP9PzmCJU3y/O187VlwWQYQOPQgF2f36pFyjfAMZmIaF
X-Received: by 10.50.79.167 with SMTP id k7mr31761000igx.28.1443644149911;
	Wed, 30 Sep 2015 13:15:49 -0700 (PDT)
Received: from localhost (199-87-125-144.dyn.kc.surewest.net.
	[199.87.125.144]) by smtp.gmail.com with ESMTPSA id
	67sm1026588iog.34.2015.09.30.13.15.49
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Wed, 30 Sep 2015 13:15:49 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	Andy Lutomirski <luto@amacapital.net>, linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org,
	linux-bcache@vger.kernel.org, dm-devel@redhat.com,
	linux-raid@vger.kernel.org, Seth Forshee <seth.forshee@canonical.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Subject: [PATCH 3/5] selinux: Add support for unprivileged mounts from user
	namespaces
Date: Wed, 30 Sep 2015 15:15:12 -0500
Message-Id: <1443644116-41366-4-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1443644116-41366-1-git-send-email-seth.forshee@canonical.com>
References: <1443644116-41366-1-git-send-email-seth.forshee@canonical.com>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Security labels from unprivileged mounts in user namespaces must
be ignored. Force superblocks from user namespaces whose labeling
behavior is to use xattrs to use mountpoint labeling instead.
For the mountpoint label, default to converting the current task
context into a form suitable for file objects, but also allow the
policy writer to specify a different label through policy
transition rules.

Pieced together from code snippets provided by Stephen Smalley.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 security/selinux/hooks.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index de05207eb665..09be1dc21e58 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 			goto out;
 		}
 	}
+
+	/*
+	 * If this is a user namespace mount, no contexts are allowed
+	 * on the command line and security labels must be ignored.
+	 */
+	if (sb->s_user_ns != &init_user_ns) {
+		if (context_sid || fscontext_sid || rootcontext_sid ||
+		    defcontext_sid) {
+			rc = -EACCES;
+			goto out;
+		}
+		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
+			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
+			rc = security_transition_sid(current_sid(), current_sid(),
+						     SECCLASS_FILE, NULL,
+						     &sbsec->mntpoint_sid);
+			if (rc)
+				goto out;
+		}
+		goto out_set_opts;
+	}
+
 	/* sets the context of the superblock for the fs being mounted. */
 	if (fscontext_sid) {
 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
@@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 		sbsec->def_sid = defcontext_sid;
 	}
 
+out_set_opts:
 	rc = sb_finish_set_opts(sb);
 out:
 	mutex_unlock(&sbsec->lock);