From patchwork Wed Dec  2 15:40:18 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 7748691
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id C1FB29F387
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed,  2 Dec 2015 16:36:10 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 1C89A2053F
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed,  2 Dec 2015 16:36:10 +0000 (UTC)
Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id C906A20503
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed,  2 Dec 2015 16:36:04 +0000 (UTC)
X-TM-IMSS-Message-ID: <2385d84f00017e5a@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	2385d84f00017e5a ; Wed, 2 Dec 2015 11:34:04 -0500
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB2GXbVa012109;
	Wed, 2 Dec 2015 11:33:41 -0500
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	tB2Fgfh5185616 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Wed, 2 Dec 2015 10:42:41 -0500
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB2FgWlL006648
	for <selinux@tycho.nsa.gov>; Wed, 2 Dec 2015 10:42:41 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1ChAAA0EF9Wm7LVVdFeGQEBAQEPAQEBAYRMu3CEFoYOAoIYAQEBAQEBEgEBAQEBBgsLCSGEYwEBAQMSFRkBATcBD1E0AQUBHAYBEiKIDaEVgTE+MYpXhVQBBYwjAQEBAQEBAQMCARoGCoQ6ghCONo4giEGWTIYhi2s2gReCZw0WBxaBX1MBhW4BAQE
X-IPAS-Result: 
 A1ChAAA0EF9Wm7LVVdFeGQEBAQEPAQEBAYRMu3CEFoYOAoIYAQEBAQEBEgEBAQEBBgsLCSGEYwEBAQMSFRkBATcBD1E0AQUBHAYBEiKIDaEVgTE+MYpXhVQBBYwjAQEBAQEBAQMCARoGCoQ6ghCONo4giEGWTIYhi2s2gReCZw0WBxaBX1MBhW4BAQE
X-IronPort-AV: E=Sophos;i="5.20,373,1444708800"; d="scan'208";a="4986134"
Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193])
	by goalie.tycho.ncsc.mil with ESMTP; 02 Dec 2015 10:42:41 -0500
X-TM-IMSS-Message-ID: <2356ea0900015f13@nsa.gov>
Received: from mail-ig0-f178.google.com (mail-ig0-f178.google.com
	[209.85.213.178]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS
	SMTP
	Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 2356ea0900015f13 ;
	Wed, 2 Dec 2015 10:42:48 -0500
Received: by igcto18 with SMTP id to18so34151456igc.0
	for <selinux@tycho.nsa.gov>; Wed, 02 Dec 2015 07:42:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=/P20URYx5Q3iot6ujsoPpkjBGQL+sdh20yydgcKanak=;
	b=Ysf6rKB8V9Ix4K60T/bS8iW9dqrp4cTd5bthAMxjvsYPlOu4Jidp14Ne/66yEQDT+s
	7VsChSzvVVYncMgIoxe8sJsCS0i5FsZTyYJ8AWVv1ngVd6udDRWL6nAMK03h4RXfNQw+
	OXIyfAdPJI8mTw5QXzyScWUDZ0uzmkDA0cScN3u4Ba9yhXm7sc99503NiTRw52ga7gJM
	HMTfJ4SY15LBmzr/rjN6ldCCathtfpkkUEJ6ybxOyhNFj6ZcsvoRHCCozUNsG1PVRQ5D
	H/68hUNCYO3lR7Km9xTy2DUWmdWLiG+lLEtaAj+2LZttikyeSH9afBXd2pfJqovRWfiG
	RqNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=/P20URYx5Q3iot6ujsoPpkjBGQL+sdh20yydgcKanak=;
	b=f0fvCcqgyf75YHSt4Itn7vtUuMYYNXhokS4g4SOHtjEVMIkFrRI6tex+rzqrSP8z12
	bsDO4nviSSCn2KnQSyUc8WLZAlsxcge7RmfZukhoxpxnztEl9c0wVvxn+3QfE/Su3lV1
	m8Z2u78Vbj8Po9MtjJ16m1axLkl8A0SSLVIxu3vg7NP4WMwBzipOq1Vq2p16ose6oCG4
	yCSfYNIVUE8wCIy8luJTz4kpVU1yZu+ypYF4v8nd6a0lKjlcqw1Ei9I/V5MdpysI/AEI
	yYr7SgIDfTUFn3QpB52JeIUercjwJwOhAw2AP7j/AG9aYAZeIYdl0G8/NVmlUM1dylgW
	c2VQ==
X-Gm-Message-State: 
 ALoCoQl4mT8U10s/7mng4Nu4FbWgP42689WOPfZx+3sXtj33Nir0gMDITwOseb3hpRS0cY/Dkc5g
X-Received: by 10.50.8.2 with SMTP id n2mr30846278iga.50.1449070958328;
	Wed, 02 Dec 2015 07:42:38 -0800 (PST)
Received: from localhost (199-87-125-144.dyn.kc.surewest.net.
	[199.87.125.144]) by smtp.gmail.com with ESMTPSA id
	c21sm1369043ioc.24.2015.12.02.07.42.37
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Wed, 02 Dec 2015 07:42:37 -0800 (PST)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Miklos Szeredi <miklos@szeredi.hu>
Subject: [PATCH 18/19] fuse: Restrict allow_other to the superblock's
	namespace or a descendant
Date: Wed,  2 Dec 2015 09:40:18 -0600
Message-Id: <1449070821-73820-19-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1449070821-73820-1-git-send-email-seth.forshee@canonical.com>
References: <1449070821-73820-1-git-send-email-seth.forshee@canonical.com>
X-TM-AS-MML: disable
X-Mailman-Approved-At: Wed, 02 Dec 2015 11:15:49 -0500
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
	Seth Forshee <seth.forshee@canonical.com>, dm-devel@redhat.com,
	linux-security-module@vger.kernel.org,
	Richard Weinberger <richard.weinberger@gmail.com>,
	linux-bcache@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	linux-mtd@lists.infradead.org,
	Alexander Viro <viro@zeniv.linux.org.uk>, selinux@tycho.nsa.gov,
	linux-fsdevel@vger.kernel.org
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Unprivileged users are normally restricted from mounting with the
allow_other option by system policy, but this could be bypassed
for a mount done with user namespace root permissions. In such
cases allow_other should not allow users outside the userns
to access the mount as doing so would give the unprivileged user
the ability to manipulate processes it would otherwise be unable
to manipulate. Restrict allow_other to apply to users in the same
userns used at mount or a descendant of that namespace.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
---
 fs/fuse/dir.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index f67f4dd86b36..5b8edb1203b8 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1018,8 +1018,14 @@ int fuse_allow_current_process(struct fuse_conn *fc)
 {
 	const struct cred *cred;
 
-	if (fc->flags & FUSE_ALLOW_OTHER)
-		return 1;
+	if (fc->flags & FUSE_ALLOW_OTHER) {
+		struct user_namespace *ns;
+		for (ns = current_user_ns(); ns; ns = ns->parent) {
+			if (ns == fc->user_ns)
+				return 1;
+		}
+		return 0;
+	}
 
 	cred = current_cred();
 	if (uid_eq(cred->euid, fc->user_id) &&