| Message ID | 20181221201853.24015-2-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Fix SELinux context mount with the cgroup filesystem | expand |
On 12/21/18 3:18 PM, Ondrej Mosnacek wrote: > In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling > files/directories, so we should never set the SBLABEL_MNT flag. The > 'special handling' in selinux_is_sblabel_mnt() is only intended for when > the behavior is set to SECURITY_FS_USE_GENFS. > > While there, make the logic in selinux_is_sblabel_mnt() more explicit > and add a BUILD_BUG_ON() to make sure that introducing a new > SECURITY_FS_USE_* forces a review of the logic. > > Fixes: d5f3a5f6e7e7 ("selinux: add security in-core xattr support for pstore and debugfs") > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > security/selinux/hooks.c | 40 +++++++++++++++++++++++++++++++--------- > 1 file changed, 31 insertions(+), 9 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 7ce012d9ec51..b4759bebeddc 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -497,16 +497,10 @@ static int may_context_mount_inode_relabel(u32 sid, > return rc; > } > > -static int selinux_is_sblabel_mnt(struct super_block *sb) > +static int selinux_is_genfs_special_handling(struct super_block *sb) > { > - struct superblock_security_struct *sbsec = sb->s_security; > - > - return sbsec->behavior == SECURITY_FS_USE_XATTR || > - sbsec->behavior == SECURITY_FS_USE_TRANS || > - sbsec->behavior == SECURITY_FS_USE_TASK || > - sbsec->behavior == SECURITY_FS_USE_NATIVE || > - /* Special handling. Genfs but also in-core setxattr handler */ > - !strcmp(sb->s_type->name, "sysfs") || > + /* Special handling. Genfs but also in-core setxattr handler */ > + return !strcmp(sb->s_type->name, "sysfs") || > !strcmp(sb->s_type->name, "pstore") || > !strcmp(sb->s_type->name, "debugfs") || > !strcmp(sb->s_type->name, "tracefs") || > @@ -516,6 +510,34 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) > !strcmp(sb->s_type->name, "cgroup2"))); > } > > +static int selinux_is_sblabel_mnt(struct super_block *sb) > +{ > + struct superblock_security_struct *sbsec = sb->s_security; > + > + /* > + * IMPORTANT: Double-check logic in this function when adding a new > + * SECURITY_FS_USE_* definition! > + */ > + BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); > + > + switch (sbsec->behavior) { > + case SECURITY_FS_USE_XATTR: > + case SECURITY_FS_USE_TRANS: > + case SECURITY_FS_USE_TASK: > + case SECURITY_FS_USE_NATIVE: > + return 1; > + > + case SECURITY_FS_USE_GENFS: > + return selinux_is_genfs_special_handling(sb); > + > + /* Never allow relabeling on context mounts */ > + case SECURITY_FS_USE_MNTPOINT: > + case SECURITY_FS_USE_NONE: > + default: > + return 0; > + } > +} > + > static int sb_finish_set_opts(struct super_block *sb) > { > struct superblock_security_struct *sbsec = sb->s_security; >
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7ce012d9ec51..b4759bebeddc 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -497,16 +497,10 @@ static int may_context_mount_inode_relabel(u32 sid, return rc; } -static int selinux_is_sblabel_mnt(struct super_block *sb) +static int selinux_is_genfs_special_handling(struct super_block *sb) { - struct superblock_security_struct *sbsec = sb->s_security; - - return sbsec->behavior == SECURITY_FS_USE_XATTR || - sbsec->behavior == SECURITY_FS_USE_TRANS || - sbsec->behavior == SECURITY_FS_USE_TASK || - sbsec->behavior == SECURITY_FS_USE_NATIVE || - /* Special handling. Genfs but also in-core setxattr handler */ - !strcmp(sb->s_type->name, "sysfs") || + /* Special handling. Genfs but also in-core setxattr handler */ + return !strcmp(sb->s_type->name, "sysfs") || !strcmp(sb->s_type->name, "pstore") || !strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") || @@ -516,6 +510,34 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) !strcmp(sb->s_type->name, "cgroup2"))); } +static int selinux_is_sblabel_mnt(struct super_block *sb) +{ + struct superblock_security_struct *sbsec = sb->s_security; + + /* + * IMPORTANT: Double-check logic in this function when adding a new + * SECURITY_FS_USE_* definition! + */ + BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); + + switch (sbsec->behavior) { + case SECURITY_FS_USE_XATTR: + case SECURITY_FS_USE_TRANS: + case SECURITY_FS_USE_TASK: + case SECURITY_FS_USE_NATIVE: + return 1; + + case SECURITY_FS_USE_GENFS: + return selinux_is_genfs_special_handling(sb); + + /* Never allow relabeling on context mounts */ + case SECURITY_FS_USE_MNTPOINT: + case SECURITY_FS_USE_NONE: + default: + return 0; + } +} + static int sb_finish_set_opts(struct super_block *sb) { struct superblock_security_struct *sbsec = sb->s_security;
In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling files/directories, so we should never set the SBLABEL_MNT flag. The 'special handling' in selinux_is_sblabel_mnt() is only intended for when the behavior is set to SECURITY_FS_USE_GENFS. While there, make the logic in selinux_is_sblabel_mnt() more explicit and add a BUILD_BUG_ON() to make sure that introducing a new SECURITY_FS_USE_* forces a review of the logic. Fixes: d5f3a5f6e7e7 ("selinux: add security in-core xattr support for pstore and debugfs") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- security/selinux/hooks.c | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-)