From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752874AbbJMU2z (ORCPT ); Tue, 13 Oct 2015 16:28:55 -0400 Received: from emvm-gh1-uea09.nsa.gov ([63.239.67.10]:54495 "EHLO emvm-gh1-uea09.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752622AbbJMU2x (ORCPT ); Tue, 13 Oct 2015 16:28:53 -0400 X-TM-IMSS-Message-ID: <2f8ec9410001af4d@nsa.gov> Subject: Re: [PATCH v2 5/7] selinux: Add support for unprivileged mounts from user namespaces To: Seth Forshee , "Eric W. Biederman" , Paul Moore , Eric Paris References: <1444755861-54997-1-git-send-email-seth.forshee@canonical.com> <1444755861-54997-6-git-send-email-seth.forshee@canonical.com> Cc: linux-bcache@vger.kernel.org, Serge Hallyn , James Morris , dm-devel@redhat.com, linux-kernel@vger.kernel.org, Andy Lutomirski , linux-raid@vger.kernel.org, linux-security-module@vger.kernel.org, linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org From: Stephen Smalley Organization: National Security Agency Message-ID: <561D691D.9080209@tycho.nsa.gov> Date: Tue, 13 Oct 2015 16:27:09 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <1444755861-54997-6-git-send-email-seth.forshee@canonical.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/13/2015 01:04 PM, Seth Forshee wrote: > Security labels from unprivileged mounts in user namespaces must > be ignored. Force superblocks from user namespaces whose labeling > behavior is to use xattrs to use mountpoint labeling instead. > For the mountpoint label, default to converting the current task > context into a form suitable for file objects, but also allow the > policy writer to specify a different label through policy > transition rules. > > Pieced together from code snippets provided by Stephen Smalley. > > Signed-off-by: Seth Forshee Acked-by: Stephen Smalley > --- > security/selinux/hooks.c | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index de05207eb665..09be1dc21e58 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, > goto out; > } > } > + > + /* > + * If this is a user namespace mount, no contexts are allowed > + * on the command line and security labels must be ignored. > + */ > + if (sb->s_user_ns != &init_user_ns) { > + if (context_sid || fscontext_sid || rootcontext_sid || > + defcontext_sid) { > + rc = -EACCES; > + goto out; > + } > + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { > + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; > + rc = security_transition_sid(current_sid(), current_sid(), > + SECCLASS_FILE, NULL, > + &sbsec->mntpoint_sid); > + if (rc) > + goto out; > + } > + goto out_set_opts; > + } > + > /* sets the context of the superblock for the fs being mounted. */ > if (fscontext_sid) { > rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); > @@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, > sbsec->def_sid = defcontext_sid; > } > > +out_set_opts: > rc = sb_finish_set_opts(sb); > out: > mutex_unlock(&sbsec->lock); >