[RFC PATCH selinuxns 1/3] selinux: do not cache sblabel mount flag in superblock

[RFC PATCH selinuxns 1/3] selinux: do not cache sblabel mount flag in superblock

[Stephen Smalley]

Currently SELinux determines whether the superblock supports
security labeling at superblock creation time and caches it
as a SBLABEL_MNT flag in the superblock security blob. However,
with the introduciton of SELinux namespaces, this can change
within a child SELinux namespace due to a different value for
the cgroupseclabel policy capability in its policy. Stop
precomputing and caching this flag and instead check it on use.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/hooks.c            | 22 ++++++----------------
 security/selinux/include/security.h |  1 -
 2 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7003a3f96ead..61171c45329f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -581,16 +581,6 @@ static int sb_finish_set_opts(struct super_block *sb)
 
 	sbsec->flags |= SE_SBINITIALIZED;
 
-	/*
-	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
-	 * leave the flag untouched because sb_clone_mnt_opts might be handing
-	 * us a superblock that needs the flag to be cleared.
-	 */
-	if (selinux_is_sblabel_mnt(sb))
-		sbsec->flags |= SBLABEL_MNT;
-	else
-		sbsec->flags &= ~SBLABEL_MNT;
-
 	/* Initialize the root inode. */
 	rc = inode_doinit_with_dentry(root_inode, root);
 
@@ -1141,7 +1131,7 @@ static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
 		if (rc)
 			return rc;
 	}
-	if (sbsec->flags & SBLABEL_MNT) {
+	if (selinux_is_sblabel_mnt(sb)) {
 		seq_putc(m, ',');
 		seq_puts(m, SECLABEL_STR);
 	}
@@ -1815,7 +1805,7 @@ selinux_determine_inode_label(const struct task_security_struct *tsec,
 	if ((sbsec->flags & SE_SBINITIALIZED) &&
 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
 		*_new_isid = sbsec->mntpoint_sid;
-	} else if ((sbsec->flags & SBLABEL_MNT) &&
+	} else if (selinux_is_sblabel_mnt(dir->i_sb) &&
 		   tsec->create_sid) {
 		*_new_isid = tsec->create_sid;
 	} else {
@@ -3023,7 +3013,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
 	}
 
 	if (!selinux_initialized(current_selinux_state) ||
-	    !(sbsec->flags & SBLABEL_MNT))
+	    !selinux_is_sblabel_mnt(dir->i_sb))
 		return -EOPNOTSUPP;
 
 	if (xattr) {
@@ -3454,7 +3444,7 @@ static int selinux_inode_setxattr(struct mnt_idmap *idmap,
 		return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
 
 	sbsec = selinux_superblock(inode->i_sb);
-	if (!(sbsec->flags & SBLABEL_MNT))
+	if (!selinux_is_sblabel_mnt(inode->i_sb))
 		return -EOPNOTSUPP;
 
 	if (!inode_owner_or_capable(idmap, inode))
@@ -3730,7 +3720,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
 		return -EOPNOTSUPP;
 
 	sbsec = selinux_superblock(inode->i_sb);
-	if (!(sbsec->flags & SBLABEL_MNT))
+	if (!selinux_is_sblabel_mnt(inode->i_sb))
 		return -EOPNOTSUPP;
 
 	if (!value || !size)
@@ -7105,7 +7095,7 @@ static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen
 {
 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
 					   ctx, ctxlen, 0);
-	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
+	/* Do not return error when suppressing label. */
 	return rc == -EOPNOTSUPP ? 0 : rc;
 }
 
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index e3e0b1eb7575..c5df7a0b0069 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -63,7 +63,6 @@
 #define FSCONTEXT_MNT	0x02
 #define ROOTCONTEXT_MNT 0x04
 #define DEFCONTEXT_MNT	0x08
-#define SBLABEL_MNT	0x10
 /* Non-mount related flags */
 #define SE_SBINITIALIZED 0x0100
 #define SE_SBPROC	 0x0200
-- 
2.51.1

[RFC PATCH selinuxns 2/3] selinux: do not cache genfs xattr flag in superblock security blob

[Stephen Smalley]

We should only try to fetch the xattr for cgroup or cgroup2 inodes if
the cgroup_seclabel policy capability is enabled in the policy.
Since this may differ in a child SELinux namespace, we need to check
it at inode labeling time rather than only on superblock initialization.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/hooks.c            | 12 ++++++++----
 security/selinux/include/security.h |  1 -
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 61171c45329f..5cfb7d8106fb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -749,7 +749,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	if (!strcmp(sb->s_type->name, "sysfs") ||
 	    !strcmp(sb->s_type->name, "cgroup") ||
 	    !strcmp(sb->s_type->name, "cgroup2"))
-		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
+		sbsec->flags |= SE_SBGENFS;
 
 	if (!sbsec->behavior) {
 		/*
@@ -1428,6 +1428,7 @@ static int inode_doinit_use_xattr(struct selinux_state *state,
 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
 {
 	struct selinux_state *state = current_selinux_state;
+	struct super_block *sb = inode->i_sb;
 	struct superblock_security_struct *sbsec = NULL;
 	struct inode_security_struct *isec = selinux_inode(inode);
 	u32 task_sid, sid = 0;
@@ -1451,7 +1452,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 	while (state && !selinux_initialized(state))
 		state = state->parent;
 
-	sbsec = selinux_superblock(inode->i_sb);
+	sbsec = selinux_superblock(sb);
 	if (!state || !(sbsec->flags & SE_SBINITIALIZED)) {
 		/* Defer initialization until selinux_complete_init,
 		   after the initial policy is loaded and the security
@@ -1571,8 +1572,11 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 				goto out;
 			}
 
-			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
-			    (inode->i_opflags & IOP_XATTR)) {
+			if ((inode->i_opflags & IOP_XATTR) &&
+			    (!strcmp(sb->s_type->name, "sysfs") ||
+			     (selinux_policycap_cgroupseclabel() &&
+			      (!strcmp(sb->s_type->name, "cgroup") ||
+			       !strcmp(sb->s_type->name, "cgroup2"))))) {
 				rc = inode_doinit_use_xattr(state, inode,
 							    dentry, sid,
 							    &sid);
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index c5df7a0b0069..8d39137c6ebc 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -67,7 +67,6 @@
 #define SE_SBINITIALIZED 0x0100
 #define SE_SBPROC	 0x0200
 #define SE_SBGENFS	 0x0400
-#define SE_SBGENFS_XATTR 0x0800
 #define SE_SBNATIVE	 0x1000
 
 #define CONTEXT_STR	"context"
-- 
2.51.1

[RFC PATCH selinuxns 3/3] selinux: ignore invalid contexts in kernfs_init_security in child namespace

[Stephen Smalley]

kernfs_init_security() tries to propagate the parent directory's
SELinux xattr to the child (or compute a transition, depending on
policy) when a child node is created. In the case of cgroup2,
this can cause a hard failure when trying to create any files
in the cgroup2 mount for a child SELinux namespace if the
context in the parent is invalid in the child. Treat this
the same way as if the parent lacked a SELinux xattr and just
let the child be labeled based on policy.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/hooks.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5cfb7d8106fb..bdfa97e32c67 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3830,8 +3830,13 @@ static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
 	rc = security_context_to_sid(current_selinux_state, context, clen,
 				     &parent_sid, GFP_KERNEL);
 	kfree(context);
-	if (rc)
+	if (rc) {
+		if (rc == -EINVAL &&
+			current_selinux_state != init_selinux_state) {
+			return 0;
+		}
 		return rc;
+	}
 
 	if (tsec->create_sid) {
 		newsid = tsec->create_sid;
-- 
2.51.1