From patchwork Tue Apr 26 19:36:15 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 8944471
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 5875E9F54E
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 26 Apr 2016 20:12:30 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 9F544201FE
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 26 Apr 2016 20:12:29 +0000 (UTC)
Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9])
	by mail.kernel.org (Postfix) with ESMTP id B0D652014A
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 26 Apr 2016 20:12:28 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.24,538,1454976000"; d="scan'208";a="15643984"
IronPort-PHdr: =?us-ascii?q?9a23=3Aa5URaxIGxAgWH88RC9mcpTZWNBhigK39O0sv0rFi?=
	=?us-ascii?q?tYgVKfjxwZ3uMQTl6Ol3ixeRBMOAu6IC1Lud6vu+EUU7or+/81k6OKRWUBEEjc?=
	=?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZv?=
	=?us-ascii?q?IaytQ8iJ35TxiLH5osaNKyxzxxODIppKZC2sqgvQssREyaBDEY0WjiXzn31TZu?=
	=?us-ascii?q?5NznlpL1/A1zz158O34YIxu38I46Fp34d6XK77Z6U1S6BDRHRjajhtpZ6jiR6W?=
	=?us-ascii?q?ByaV53BUbSNeuBtFDwXf6Rj8FN+lvyH7u+ZwwiyyLcj3Vqs1XjLk5KBuHlugoS?=
	=?us-ascii?q?MKJzc//GzNwvJxlqUT9AygvRtX0YPSYZ/TMPt4Y7ObeskVA3dCCJV/TStEV7ix?=
	=?us-ascii?q?c4tHIe0bJuZVosGpvFYSrV2wAhO3BO7i4jRBgHjw3KYz16IqFgSQj19oJM4HrH?=
	=?us-ascii?q?mB9Ia9D6wVS+3gifCQlTg=3D?=
X-IPAS-Result: =?us-ascii?q?A2EKBQBzyh9X/wHyM5BeHAGCcCuBULVVhh8igXaFRUwBAQE?=
	=?us-ascii?q?BAQECAmIngi19Wz0BAQEDAQIPFRMGAQEMIAsBAgMJAQEXKQgIAwEtAwEFAQsRB?=
	=?us-ascii?q?gEHCwUYBAGICAGlVYExPjGKT4UoAQSMRgEBCAEBAQEWBgqEDYIKiFoRAYV0AY5?=
	=?us-ascii?q?MiUiBVYxEiSolhUBFjS0wgQ5igjaBU04Bh3iBNQEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	26 Apr 2016 20:12:26 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3QKCQcu021543;
	Tue, 26 Apr 2016 16:12:26 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u3QJaofj172285 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Tue, 26 Apr 2016 15:36:50 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3QJakxl011587
	for <selinux@tycho.nsa.gov>; Tue, 26 Apr 2016 15:36:49 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A0A+BQD9wR9X/yUp0ApeHYJwK4FQtVeCGYQRhg8CgUBMAQEBAQEBZieEQgEBAQMSFRkBATcBD1E0AQUBHAYBEiKICAGlV4ExPjGKT4UoAQSMSgEBAQEBAQQCARcGCoQNggqOYI5NiUiBVYxEiSqFZUWNLTCBDmKBeD6BU04BiS0BAQE
X-IPAS-Result: 
 A0A+BQD9wR9X/yUp0ApeHYJwK4FQtVeCGYQRhg8CgUBMAQEBAQEBZieEQgEBAQMSFRkBATcBD1E0AQUBHAYBEiKICAGlV4ExPjGKT4UoAQSMSgEBAQEBAQQCARcGCoQNggqOYI5NiUiBVYxEiSqFZUWNLTCBDmKBeD6BU04BiS0BAQE
X-IronPort-AV: E=Sophos;i="5.24,537,1454994000"; d="scan'208";a="5410372"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 26 Apr 2016 15:36:50 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AIv8Y/BbeaUq3zcFRxjFok77/LSx+4OfEezUN459i?=
	=?us-ascii?q?sYplN5qZpM++bnLW6fgltlLVR4KTs6sC0LqG9f+xEjVbud6oizMrTt9lb1c9k8?=
	=?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUiv2OQc9?=
	=?us-ascii?q?HOnpAIma153xjLDivcKCKFwT3HKUWvBbElaflU3prM4YgI9veO4a6yDihT92Qd?=
	=?us-ascii?q?lQ3n5iPlmJnhzxtY+a9Z9n9DlM6bp6r5YTGY2zRakzTKRZATI6KCh1oZSz7ViQ?=
	=?us-ascii?q?BTeIszExSGQd2iUOSyLE4R33RJL4tGGy4ud32SSWMNfzZaAxWC+57qBtDhTvjX?=
	=?us-ascii?q?FDfxc9/XHejMB9luploQim70hhwpTTSJOYMvtgOKfce84KA21bUYBMVHoSLJm7?=
	=?us-ascii?q?at40AvYBdchftZL9qlZG+QCzGQnqCuT10T9Fi1f91Ks91eUqGAWA1wslSYFd+E?=
	=?us-ascii?q?/Ipcn4Yf9BGdu+y7PFmHCaN6tb?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HzAAD9wR9Xj7LfVdFegw2Be7VXghmEE?=
	=?us-ascii?q?YINhAICgUBMAQEBAQEBAgIPAQEBAQcLCwkhL4ItfVs9AQEBAxIVGQEBNwEPUTQ?=
	=?us-ascii?q?BBQEcBgESIogIAaVXgTE+MYpPhSgBBIxKAQEBAQEBBAIBFwYKhA2CCo5gjk2JS?=
	=?us-ascii?q?IFVjESJKoVlRY0tMIEOgloeIIFTTgGJLQEBAQ?=
X-IPAS-Result: =?us-ascii?q?A0HzAAD9wR9Xj7LfVdFegw2Be7VXghmEEYINhAICgUBMAQE?=
	=?us-ascii?q?BAQEBAgIPAQEBAQcLCwkhL4ItfVs9AQEBAxIVGQEBNwEPUTQBBQEcBgESIogIA?=
	=?us-ascii?q?aVXgTE+MYpPhSgBBIxKAQEBAQEBBAIBFwYKhA2CCo5gjk2JSIFVjESJKoVlRY0?=
	=?us-ascii?q?tMIEOgloeIIFTTgGJLQEBAQ?=
X-IronPort-AV: E=Sophos;i="5.24,537,1454976000"; d="scan'208";a="15642545"
Received: from mail-io0-f178.google.com ([209.85.223.178])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256;
	26 Apr 2016 19:36:48 +0000
Received: by mail-io0-f178.google.com with SMTP id d62so26310055iof.2
	for <selinux@tycho.nsa.gov>; Tue, 26 Apr 2016 12:36:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=MkAZrbSN9OaKpWLseQs21OBl8PIsFIyWJQ3xzlHxo4M=;
	b=VIHxPx+3bflNNquA2l/dItjpDFMXwuU9K6z8TuupFiNTsFF0cmpaKXYwV2CUCZHQya
	IQoKxL52xa/THYSDJzWQvVETuHgqvpNb/8D0usGsooskKAYBuHLVOz+Bb+tJiOheN0b5
	e4d0HjBQyU9ujyWQR4h7C++ftiqNUeNZlacNimk8HnD9C4sC3CcYPwifgI1Iqa0o6DNj
	/MZrU3VnB/gOY2iZ6etWcPfAZIc51mH7HXmFKKbWGFNOJevCl+J3geSYVIAQCcDCYin7
	MhKA9LFcnjnLLfY63GBh2algw4beoc0sS7s0pQpI85fGlMWArMof/HWh7nanVYP8XdEa
	OKJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=MkAZrbSN9OaKpWLseQs21OBl8PIsFIyWJQ3xzlHxo4M=;
	b=OR4VBXSjitEKimB4o++UpJ7G6fUFR2V9X+nU0MEAIadgF+9mzyq4ndn12jOYWMgeaf
	LxICEZHhXFXRc2+az2+vPUiN80I72WvHCu8Stm5mItrTgVM+0tf9Qgejhig1h8PKSYea
	7IeUBlS9lG2RSeHkfZhKpyDEKuH4Zt+ShhARR/mivgpUNEToQ5H6z84BOjFLUVuZptFk
	WSPU+J+O1bWjb4f/TU7vIbdf1L32wK3XMX5MfbvbX2O2kxOwhUDoKVk9jFV7a5/M0+9s
	Iyj6gOhzq5KwtuB/CNXHLMYO1Ffga8gWrcGC15yGUoTKQn+Y3mjwPh+NVcMwCZjZRDkg
	MldA==
X-Gm-Message-State: 
 AOPr4FVLbKBfVvkDWKrN8B0cfrJkUXlq+NjcxSigI1sF65bB/VC7aAJE5Ndxak7CtTXqRYb2
X-Received: by 10.107.159.137 with SMTP id i131mr5333844ioe.29.1461699408416;
	Tue, 26 Apr 2016 12:36:48 -0700 (PDT)
Received: from localhost ([2605:a601:aab:f920:39a1:5bcf:aa:5b00])
	by smtp.gmail.com with ESMTPSA id
	qb7sm8765877igb.17.2016.04.26.12.36.47
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 26 Apr 2016 12:36:47 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>
Subject: [PATCH v4 02/21] fs: Remove check of s_user_ns for existing mounts
	in fs_fully_visible()
Date: Tue, 26 Apr 2016 14:36:15 -0500
Message-Id: <1461699396-33000-3-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com>
References: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com>
X-Mailman-Approved-At: Tue, 26 Apr 2016 16:11:01 -0400
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: linux-bcache@vger.kernel.org, Serge Hallyn <serge.hallyn@canonical.com>,
	Seth Forshee <seth.forshee@canonical.com>, dm-devel@redhat.com,
	Miklos Szeredi <mszeredi@redhat.com>,
	Richard Weinberger <richard.weinberger@gmail.com>,
	linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	linux-mtd@lists.infradead.org, selinux@tycho.nsa.gov,
	linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org,
	Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RP_MATCHES_RCVD, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

fs_fully_visible() ignores MNT_LOCK_NODEV when FS_USERS_DEV_MOUNT
is not set for the filesystem, but there is a bug in the logic
that may cause mounting to fail. It is doing this only when the
existing mount is not in init_user_ns but should check the new
mount instead. But the new mount is always in a non-init
namespace when fs_fully_visible() is called, so that condition
can simply be removed.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 fs/namespace.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index f20c82f91ecb..c133318bec35 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3234,8 +3234,7 @@ static bool fs_fully_visible(struct file_system_type *type, int *new_mnt_flags)
 		mnt_flags = mnt->mnt.mnt_flags;
 		if (mnt->mnt.mnt_sb->s_iflags & SB_I_NOEXEC)
 			mnt_flags &= ~(MNT_LOCK_NOSUID | MNT_LOCK_NOEXEC);
-		if (mnt->mnt.mnt_sb->s_user_ns != &init_user_ns &&
-		    !(mnt->mnt.mnt_sb->s_type->fs_flags & FS_USERNS_DEV_MOUNT))
+		if (!(mnt->mnt.mnt_sb->s_type->fs_flags & FS_USERNS_DEV_MOUNT))
 			mnt_flags &= ~(MNT_LOCK_NODEV);
 
 		/* Verify the mount flags are equal to or more permissive