From patchwork Fri Nov 16 13:12:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 10686353 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0D94A14DB for ; Fri, 16 Nov 2018 13:12:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F106D2CED1 for ; Fri, 16 Nov 2018 13:12:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E4F152CED5; Fri, 16 Nov 2018 13:12:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 861002CED1 for ; Fri, 16 Nov 2018 13:12:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727963AbeKPXYb (ORCPT ); Fri, 16 Nov 2018 18:24:31 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:38356 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727772AbeKPXYb (ORCPT ); Fri, 16 Nov 2018 18:24:31 -0500 Received: by mail-wr1-f68.google.com with SMTP id e3-v6so24862030wrs.5 for ; Fri, 16 Nov 2018 05:12:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=EgLEGnBzTSjaNNCwc1oVyGnRYXs/af3lhZeRwjoU5P8=; b=oPtJqQk4zF1iE3sxjzBAnUYrmAtpziRgJA0QBPEJXAhU18IUPtUE1eKt5Ms2Q6KJEN GmP9PmKJ0W1/FyVj5cfHb62C/l0saSOKLA0NZfrLzcc87nV4AJKCXuh4aEHJVLvOpEa0 ZT+mcJNvrnKu3cYzIlVZFrM8iXs4Aufi+4qs3w1YIYLqQM340hfYOX8qk4k+nP0DuxdI iJWsvxQfGEib2nBIIyEEKexuEuPlUbpXwalTfIIMYUb4T+GATfc+Ix1iRNTueA/Odvyj cCu9CVF8U8ucvQYeHjU6Q4IrM7QPN1ikt5xlrxZnFjRk/bqb8hae84NoHLtP+/v+Kujt fifg== X-Gm-Message-State: AGRZ1gKuDrBH2MHPYsWXS9XfaOoOfdutSJtb34wS11xE/GwYLk3BeWcU 0UFirn421N8fHkBybp2o0f0ndA== X-Google-Smtp-Source: AJdET5eqHE02g84e0T6IxX7mrC1OQgm7Qo2SAye5am3TSlc3rzbSdvyX5znhBni1ooMeb1hutXGfMA== X-Received: by 2002:a5d:634f:: with SMTP id b15-v6mr9657625wrw.14.1542373929460; Fri, 16 Nov 2018 05:12:09 -0800 (PST) Received: from localhost.localdomain.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id o15-v6sm7949335wmc.18.2018.11.16.05.12.07 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 16 Nov 2018 05:12:08 -0800 (PST) From: Ondrej Mosnacek To: Paul Moore , selinux@vger.kernel.org Cc: "Eric W . Biederman" , Trond Myklebust , Seth Forshee , linux-fsdevel@vger.kernel.org, Ondrej Mosnacek Subject: [PATCH] selinux: always allow mounting submounts Date: Fri, 16 Nov 2018 14:12:02 +0100 Message-Id: <20181116131202.26513-1-omosnace@redhat.com> X-Mailer: git-send-email 2.17.2 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If a superblock has the MS_SUBMOUNT flag set, we should always allow mounting it. These mounts are done automatically by the kernel either as part of mounting some parent mount (e.g. debugfs always mounts tracefs under "tracing" for compatibility) or they are mounted automatically as needed on subdirectory accesses (e.g. NFS crossmnt mounts). Since such automounts are either an implicit consequence of the parent mount (which is already checked) or they can happen during regular accesses (where it doesn't make sense to check against the current task's context), the mount permission check should be skipped for them. Without this patch, attempts to access contents of an automounted directory can cause unexpected SELinux denials. In the current kernel tree, the MS_SUBMOUNT flag is set only via vfs_submount(), which is called only from the following places: - AFS, when automounting special "symlinks" referencing other cells - CIFS, when automounting "referrals" - NFS, when automounting subtrees - debugfs, when automounting tracefs In all cases the submounts are meant to be transparent to the user and it makes sense that if mounting the master is allowed, then so should be the automounts. Note that CAP_SYS_ADMIN capability checking is already skipped for (SB_KERNMOUNT|SB_SUBMOUNT) in: - sget_userns() in fs/super.c: if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !(type->fs_flags & FS_USERNS_MOUNT) && !capable(CAP_SYS_ADMIN)) return ERR_PTR(-EPERM); - sget() in fs/super.c: /* Ensure the requestor has permissions over the target filesystem */ if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN)) return ERR_PTR(-EPERM); Verified internally on patched RHEL 7.6 with a reproducer using NFS+httpd and selinux-tesuite. Fixes: 93faccbbfa95 ("fs: Better permission checking for submounts") Signed-off-by: Ondrej Mosnacek --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7ce683259357..7ce012d9ec51 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2934,7 +2934,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) return rc; /* Allow all mounts performed by the kernel */ - if (flags & MS_KERNMOUNT) + if (flags & (MS_KERNMOUNT | MS_SUBMOUNT)) return 0; ad.type = LSM_AUDIT_DATA_DENTRY;