From patchwork Tue Oct 13 17:04:18 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 7387011
Return-Path: <linux-fsdevel-owner@kernel.org>
X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id B7A6EBEEA4
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 13 Oct 2015 17:07:17 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id E1D6920780
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 13 Oct 2015 17:07:16 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 13EEF2077D
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 13 Oct 2015 17:07:16 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753384AbbJMRGx (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Tue, 13 Oct 2015 13:06:53 -0400
Received: from mail-ig0-f178.google.com ([209.85.213.178]:35895 "EHLO
	mail-ig0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753268AbbJMRFc (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 13 Oct 2015 13:05:32 -0400
Received: by igbif5 with SMTP id if5so3910700igb.1
	for <linux-fsdevel@vger.kernel.org>;
	Tue, 13 Oct 2015 10:05:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=Yb3GiXxyE6Gzp7Lj+oa4VA/Jb0RHVFJN5/8qJWDMu0A=;
	b=HH8QkjhHkBCi1mJzFSjmktxxIEjwXEYE7SMvyghTSj6tkVZ/EisuYW1cRht4k+SMD6
	KHZaEc+T4kaCvbR1TzoVhtxSVdLScPCvw/rqrUuAmbnwHxdkTCHSMyVqUL7AfT18xcOx
	0XiCKEAKaZxwWyjZAMjkO9clpKyQ5wB4Dq89vlsm+JdQHJ8SCsQhmv8IuxeYxvDX228w
	V4pF+ofTUMmX+zq2EyB0qi/7MFhF8WXxC+ojRarmuGAe2+p/w9JCBkGgJyQbm68YT2YB
	5O5qOTX5bc76rvCyukOP0QVOfJ6WwZtxvhVk0WuInIqxAlsyRr7FFd5vrO1SfQyUO+lX
	JVYA==
X-Gm-Message-State: 
 ALoCoQna03sM01f8tTQip8WQiwhzatC6Qp4fYT2fkKiPQ6em5Yz1iKVhMJyxSTQeDY/ox+H6rxWd
X-Received: by 10.50.111.167 with SMTP id ij7mr18806355igb.41.1444755931849;
	Tue, 13 Oct 2015 10:05:31 -0700 (PDT)
Received: from localhost (199-87-125-144.dyn.kc.surewest.net.
	[199.87.125.144]) by smtp.gmail.com with ESMTPSA id
	y100sm1891437ioi.29.2015.10.13.10.05.31
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Tue, 13 Oct 2015 10:05:31 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	Andy Lutomirski <luto@amacapital.net>, linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org,
	linux-bcache@vger.kernel.org, dm-devel@redhat.com,
	linux-raid@vger.kernel.org, Seth Forshee <seth.forshee@canonical.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Subject: [PATCH v2 5/7] selinux: Add support for unprivileged mounts from
	user namespaces
Date: Tue, 13 Oct 2015 12:04:18 -0500
Message-Id: <1444755861-54997-6-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1444755861-54997-1-git-send-email-seth.forshee@canonical.com>
References: <1444755861-54997-1-git-send-email-seth.forshee@canonical.com>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Security labels from unprivileged mounts in user namespaces must
be ignored. Force superblocks from user namespaces whose labeling
behavior is to use xattrs to use mountpoint labeling instead.
For the mountpoint label, default to converting the current task
context into a form suitable for file objects, but also allow the
policy writer to specify a different label through policy
transition rules.

Pieced together from code snippets provided by Stephen Smalley.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/hooks.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index de05207eb665..09be1dc21e58 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 			goto out;
 		}
 	}
+
+	/*
+	 * If this is a user namespace mount, no contexts are allowed
+	 * on the command line and security labels must be ignored.
+	 */
+	if (sb->s_user_ns != &init_user_ns) {
+		if (context_sid || fscontext_sid || rootcontext_sid ||
+		    defcontext_sid) {
+			rc = -EACCES;
+			goto out;
+		}
+		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
+			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
+			rc = security_transition_sid(current_sid(), current_sid(),
+						     SECCLASS_FILE, NULL,
+						     &sbsec->mntpoint_sid);
+			if (rc)
+				goto out;
+		}
+		goto out_set_opts;
+	}
+
 	/* sets the context of the superblock for the fs being mounted. */
 	if (fscontext_sid) {
 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
@@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 		sbsec->def_sid = defcontext_sid;
 	}
 
+out_set_opts:
 	rc = sb_finish_set_opts(sb);
 out:
 	mutex_unlock(&sbsec->lock);