From patchwork Wed Dec 2 15:40:04 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7748531 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id C8C2CBEEE1 for ; Wed, 2 Dec 2015 16:29:49 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 1D63720414 for ; Wed, 2 Dec 2015 16:29:49 +0000 (UTC) Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0ED50202FE for ; Wed, 2 Dec 2015 16:29:47 +0000 (UTC) X-TM-IMSS-Message-ID: <23804c1700017b02@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id 23804c1700017b02 ; Wed, 2 Dec 2015 11:28:00 -0500 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB2GRcar011125; Wed, 2 Dec 2015 11:27:41 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id tB2FgMrC185580 for ; Wed, 2 Dec 2015 10:42:22 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB2Fg5p0006458 for ; Wed, 2 Dec 2015 10:42:22 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1CeBAA0EF9W/7PfVdFeGQEBAQEPAQEBAYRMu3CEFoYOAoIYAQEBAQEBhUABAQEDEhUZAQE3AQ9RNAEFARwGARIiiA2hFYExPjGKV4VUAQWMIwEBAQEBBQIBGgYKhDqCEI42jiCIQZZMkgw2gRdjggSCH1MBhW4BAQE X-IPAS-Result: A1CeBAA0EF9W/7PfVdFeGQEBAQEPAQEBAYRMu3CEFoYOAoIYAQEBAQEBhUABAQEDEhUZAQE3AQ9RNAEFARwGARIiiA2hFYExPjGKV4VUAQWMIwEBAQEBBQIBGgYKhDqCEI42jiCIQZZMkgw2gRdjggSCH1MBhW4BAQE X-IronPort-AV: E=Sophos;i="5.20,373,1444708800"; d="scan'208";a="4986112" Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193]) by goalie.tycho.ncsc.mil with ESMTP; 02 Dec 2015 10:42:10 -0500 X-TM-IMSS-Message-ID: <2356749c00015ea6@nsa.gov> Received: from mail-io0-f179.google.com (mail-io0-f179.google.com [209.85.223.179]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 2356749c00015ea6 ; Wed, 2 Dec 2015 10:42:18 -0500 Received: by ioc74 with SMTP id 74so49321943ioc.2 for ; Wed, 02 Dec 2015 07:42:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=2FzR9q4tqruOs2lLpG2mLGvytCvPgm6/p9dT4VlqO+4=; b=RSTrZ3AETX/vYiJFPVwPCZ1zOuRgsaHQ73iKDe+skQyrSPTyDmykMGC8LCgvKTJSk+ Z34eXp1p8KwKQfQdZKI7vVBRgmM3Bw8VxdEE9Biw86NyDF6uwPnCf+dVPqqb9Pa8OFn0 aOOHGamklJnwEE62UNwXQY9YNnWZTZ4Djj7yU6azAw7l0oBffO+cMLJj3aJ3cALpVSki WFf3S+1YKGpHlOfpsQr9YAzj7QQEBoMyV0HIm0AIpYZytAaUeoqnBWb2IOHiDLLRygi/ om7kxOQl6xsscAvMHPFvyadAcWG+96DkelK5UBp2kMy9Yc+O/55T/SdR5Do4ayw1dyn3 AJlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2FzR9q4tqruOs2lLpG2mLGvytCvPgm6/p9dT4VlqO+4=; b=kOMFoLhq5AHyYNgyrZ3TFf7OP9aJbYItnfnbsi/cAs75CcNQdOZutSY6vBrR3Tg3R/ KlLOOfrU39BR8iRZJHNcvbbjo/ujX29OvpojNqPd2t4jI8WO3/oEuyWK82F+95mHFQsB suuPEExvxiJx99KcFJxB73dnU/gvOh7u9oXhVkKNmD9wdlvg0DTIAD4c+77lByaU4cFH CPNypZKS6gFo7OY+xDTwdefQgB+VC2Rh91Rlh0182MbUVKiQSusNhRvVW2GqMtm5uTJw F2d8xKznqEm3Sy5V3JiAoaoIqNNRJrB5nqr4HzI2xdRZtkvyPX4i74IsL3GhRbBSinjG uCMw== X-Gm-Message-State: ALoCoQnvZlzg7UUucW7V8B1MuL7L3LzddaHmuefT2CU9G9NZe6l9zBQ203sDVu99rem6UbQzH65S X-Received: by 10.107.164.71 with SMTP id n68mr4244008ioe.162.1449070928559; Wed, 02 Dec 2015 07:42:08 -0800 (PST) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id g88sm1359911ioj.23.2015.12.02.07.42.07 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Wed, 02 Dec 2015 07:42:08 -0800 (PST) From: Seth Forshee To: "Eric W. Biederman" , Paul Moore , Stephen Smalley , Eric Paris Subject: [PATCH 04/19] selinux: Add support for unprivileged mounts from user namespaces Date: Wed, 2 Dec 2015 09:40:04 -0600 Message-Id: <1449070821-73820-5-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1449070821-73820-1-git-send-email-seth.forshee@canonical.com> References: <1449070821-73820-1-git-send-email-seth.forshee@canonical.com> X-TM-AS-MML: disable X-Mailman-Approved-At: Wed, 02 Dec 2015 11:15:49 -0500 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Serge Hallyn , Seth Forshee , James Morris , dm-devel@redhat.com, Miklos Szeredi , Richard Weinberger , linux-security-module@vger.kernel.org, linux-bcache@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file objects, but also allow the policy writer to specify a different label through policy transition rules. Pieced together from code snippets provided by Stephen Smalley. Signed-off-by: Seth Forshee Acked-by: Stephen Smalley Acked-by: James Morris --- security/selinux/hooks.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a5b93df6553f..5fedc36dd6b2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } } + + /* + * If this is a user namespace mount, no contexts are allowed + * on the command line and security labels must be ignored. + */ + if (sb->s_user_ns != &init_user_ns) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; + goto out; + } + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; + rc = security_transition_sid(current_sid(), current_sid(), + SECCLASS_FILE, NULL, + &sbsec->mntpoint_sid); + if (rc) + goto out; + } + goto out_set_opts; + } + /* sets the context of the superblock for the fs being mounted. */ if (fscontext_sid) { rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); @@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, sbsec->def_sid = defcontext_sid; } +out_set_opts: rc = sb_finish_set_opts(sb); out: mutex_unlock(&sbsec->lock);