From mboxrd@z Thu Jan 1 00:00:00 1970 From: Seth Forshee Subject: [PATCH 5/7] security: Restrict security attribute updates for userns mounts Date: Wed, 15 Jul 2015 14:46:06 -0500 Message-ID: <1436989569-69582-6-git-send-email-seth.forshee@canonical.com> References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com> Cc: Serge Hallyn , Andy Lutomirski , Seth Forshee , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org To: "Eric W. Biederman" , Alexander Viro , James Morris , "Serge E. Hallyn" Return-path: Received: from mail-oi0-f41.google.com ([209.85.218.41]:33610 "EHLO mail-oi0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753699AbbGOTrW (ORCPT ); Wed, 15 Jul 2015 15:47:22 -0400 Received: by oige126 with SMTP id e126so36028730oig.0 for ; Wed, 15 Jul 2015 12:47:21 -0700 (PDT) In-Reply-To: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Respecting security labels for mounts from user namespaces may allow unprivileged users to introduce security labels into the system. To stop this from happening prevent calling the inode_post_setxattr, inode_setsecurity, inode_notifysecctx, and inode_setsecctx hooks when s_user_ns != init_user_ns. There's no purpose in actually blocking setting of these xattrs, as (for rw mounts at least) the user must have write access to the underlying filesystem and could set the xattrs by other means. Signed-off-by: Seth Forshee --- security/security.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/security/security.c b/security/security.c index 062f3c997fdc..980710baa8f9 100644 --- a/security/security.c +++ b/security/security.c @@ -653,7 +653,9 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name, { if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return; - call_void_hook(inode_post_setxattr, dentry, name, value, size, flags); + if (dentry->d_inode->i_sb->s_user_ns == &init_user_ns) + call_void_hook(inode_post_setxattr, dentry, name, value, size, + flags); evm_inode_post_setxattr(dentry, name, value, size); } @@ -712,6 +714,8 @@ int security_inode_getsecurity(const struct inode *inode, const char *name, void int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) { + if (inode->i_sb->s_user_ns != &init_user_ns) + return -EOPNOTSUPP; if (unlikely(IS_PRIVATE(inode))) return -EOPNOTSUPP; return call_int_hook(inode_setsecurity, -EOPNOTSUPP, inode, name, @@ -1168,12 +1172,16 @@ EXPORT_SYMBOL(security_release_secctx); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) { + if (inode->i_sb->s_user_ns != &init_user_ns) + return -EOPNOTSUPP; return call_int_hook(inode_notifysecctx, 0, inode, ctx, ctxlen); } EXPORT_SYMBOL(security_inode_notifysecctx); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { + if (dentry->d_inode->i_sb->s_user_ns != &init_user_ns) + return -EOPNOTSUPP; return call_int_hook(inode_setsecctx, 0, dentry, ctx, ctxlen); } EXPORT_SYMBOL(security_inode_setsecctx); -- 1.9.1