From: David Howells <dhowells@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: dhowells@redhat.com, Jeff Layton <jlayton@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
Trond Myklebust <trond.myklebust@hammerspace.com>,
Anna Schumaker <anna@kernel.org>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
Casey Schaufler <casey@schaufler-ca.com>,
Scott Mayhew <smayhew@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-security-module@vger.kernel.org,
selinux@vger.kernel.org
Subject: Re: [PATCH v6] vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing
Date: Fri, 04 Aug 2023 16:16:18 +0100 [thread overview]
Message-ID: <2678222.1691162178@warthog.procyon.org.uk> (raw)
In-Reply-To: <bac543537058619345b363bbfc745927.paul@paul-moore.com>
Paul Moore <paul@paul-moore.com> wrote:
>
> I generally dislike core kernel code which makes LSM calls conditional
> on some kernel state maintained outside the LSM. Sometimes it has to
> be done as there is no other good options, but I would like us to try
> and avoid it if possible. The commit description mentioned that this
> was put here to avoid a SELinux complaint, can you provide an example
> of the complain? Does it complain about a double/invalid mount, e.g.
> "SELinux: mount invalid. Same superblock, different security ..."?
>
> I'd like to understand why the sb_set_mnt_opts() call fails when it
> comes after the fs_context_init() call. I'm particulary curious to
> know if the failure is due to conflicting SELinux state in the
> fs_context, or if it is simply an issue of sb_set_mnt_opts() not
> properly handling existing values. Perhaps I'm being overly naive,
> but I'm hopeful that we can address both of these within the SELinux
> code itself.
>
> In a worst case situation, we could always implement a flag *inside*
> the SELinux code, similar to what has been done with 'lsm_set' here.
IIRC, the issue is when you make a mount with an explicit context= setting and
make another mount from some way down the export tree that doesn't have an
explicit setting, e.g.:
mount carina:/ /mnt -o context=system_u:object_r:root_t:s0
mount carina:/nfs/scratch /mnt2
and then cause an automount to walk from one to the other:
stat /mnt/nfs/scratch/foo
For reference, my server has:
/nfs/scratch 192.168.6.0/255.255.255.0,90.155.74.16/255.255.255.248
/nfs 192.168.6.0/255.255.255.0,90.155.74.16/255.255.255.248
/ 192.168.6.0/255.255.255.0,90.155.74.16/255.255.255.248
and if I look in /proc/fs/nfsfs/volumes, I can see the individual superblocks:
NV SERVER PORT DEV FSID FSC
v4 c0a80601 801 0:51 0:0 no
v4 c0a80601 801 0:56 3:0 no
v4 c0a80601 801 0:52 1:0 no
v4 c0a80601 801 0:55 3:0 no
As you can see, there are two referring to the same 'volume'.
Without the "fc->lsm_set=true" bit, you get an error something like:
SELinux: mount invalid. Same superblock, different security settings for (dev 0:56, type nfs4)
One important question is how should sharing of a mount with unspecified
context be handled when we try to unify it with a mount that has an explicit
context?
David
next prev parent reply other threads:[~2023-08-04 15:17 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-02 16:49 [PATCH v6] vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing Jeff Layton
2023-08-02 18:16 ` Paul Moore
2023-08-02 19:34 ` Jeff Layton
2023-08-03 2:46 ` Paul Moore
2023-08-03 16:27 ` Jeff Layton
2023-08-04 2:48 ` Paul Moore
2023-08-04 12:58 ` Jeff Layton
2023-08-03 13:27 ` Christian Brauner
2023-08-03 16:09 ` Jeff Layton
2023-08-03 17:36 ` Christian Brauner
2023-08-03 18:58 ` Jeff Layton
2023-08-04 8:25 ` Christian Brauner
2023-08-04 13:25 ` Jeff Layton
2023-08-04 13:38 ` Christian Brauner
2023-08-04 15:16 ` David Howells [this message]
2023-08-04 15:22 ` David Howells
2023-08-04 16:00 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2678222.1691162178@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=anna@kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=eparis@parisplace.org \
--cc=jlayton@kernel.org \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=smayhew@redhat.com \
--cc=stephen.smalley.work@gmail.com \
--cc=trond.myklebust@hammerspace.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).