From patchwork Wed Dec  2 15:40:04 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 551425
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2001:1868:205::9])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 082AD140306
	for <incoming@patchwork.ozlabs.org>;
	Thu,  3 Dec 2015 02:44:47 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=canonical-com.20150623.gappssmtp.com
	header.i=@canonical-com.20150623.gappssmtp.com
	header.b=RSTrZ3AE; dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1a49YX-00080x-3T; Wed, 02 Dec 2015 15:42:57 +0000
Received: from mail-io0-x232.google.com ([2607:f8b0:4001:c06::232])
	by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat
	Linux)) id 1a49Y5-0007ff-JO
	for linux-mtd@lists.infradead.org; Wed, 02 Dec 2015 15:42:32 +0000
Received: by iofh3 with SMTP id h3so49550776iof.3
	for <linux-mtd@lists.infradead.org>;
	Wed, 02 Dec 2015 07:42:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=2FzR9q4tqruOs2lLpG2mLGvytCvPgm6/p9dT4VlqO+4=;
	b=RSTrZ3AETX/vYiJFPVwPCZ1zOuRgsaHQ73iKDe+skQyrSPTyDmykMGC8LCgvKTJSk+
	Z34eXp1p8KwKQfQdZKI7vVBRgmM3Bw8VxdEE9Biw86NyDF6uwPnCf+dVPqqb9Pa8OFn0
	aOOHGamklJnwEE62UNwXQY9YNnWZTZ4Djj7yU6azAw7l0oBffO+cMLJj3aJ3cALpVSki
	WFf3S+1YKGpHlOfpsQr9YAzj7QQEBoMyV0HIm0AIpYZytAaUeoqnBWb2IOHiDLLRygi/
	om7kxOQl6xsscAvMHPFvyadAcWG+96DkelK5UBp2kMy9Yc+O/55T/SdR5Do4ayw1dyn3
	AJlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=2FzR9q4tqruOs2lLpG2mLGvytCvPgm6/p9dT4VlqO+4=;
	b=eLmLqPNXG1Q/vgIirpPfLV91fu5GQgPM5DzT6gVNXH4AIdNiqVqOU789o3MRwDW2pX
	DrzlBlHpGaP02exSo04wQmqWnbJ37al1HnEUpFuEZYbg9b1TO7BI8CdCdrQ3ABQIkjhA
	SiKLkHqshz6Ui5jCgoRveteV5jnkocQ+gSTo5bJP3egx2eQ3AO2+tirlbFeWGNLpW1Z0
	NHmODkppMT5sr1Xp6FaihNERGjpS8oWki6TgBwk2cO3DQSTsNloCgCsxKUpXpqAFXX9w
	GDOqvd+jBMDOfdzHDQ5h9KQVo6ylGOiD9Mpr4/N+CCQhYjfLhGBwYrpg4YEPxYaqSIoJ
	Ge7A==
X-Gm-Message-State: 
 ALoCoQmdJPTX7GZK0QsPZWV5pglyB9pkfapS8ijQJo43nS8CLmMysH23XSBP/wFpRumF26wPSoZX
X-Received: by 10.107.164.71 with SMTP id n68mr4244008ioe.162.1449070928559;
	Wed, 02 Dec 2015 07:42:08 -0800 (PST)
Received: from localhost (199-87-125-144.dyn.kc.surewest.net.
	[199.87.125.144]) by smtp.gmail.com with ESMTPSA id
	g88sm1359911ioj.23.2015.12.02.07.42.07
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Wed, 02 Dec 2015 07:42:08 -0800 (PST)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>
Subject: [PATCH 04/19] selinux: Add support for unprivileged mounts from user
	namespaces
Date: Wed,  2 Dec 2015 09:40:04 -0600
Message-Id: <1449070821-73820-5-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1449070821-73820-1-git-send-email-seth.forshee@canonical.com>
References: <1449070821-73820-1-git-send-email-seth.forshee@canonical.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20151202_074229_895880_40E7A832 
X-CRM114-Status: GOOD (  13.46  )
X-Spam-Score: -2.6 (--)
X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary:
	Content analysis details:   (-2.6 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
	low
	trust [2607:f8b0:4001:c06:0:0:0:232 listed in] [list.dnswl.org]
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd/>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	James Morris <james.l.morris@oracle.com>, dm-devel@redhat.com,
	Miklos Szeredi <miklos@szeredi.hu>,
	Richard Weinberger <richard.weinberger@gmail.com>,
	linux-security-module@vger.kernel.org, linux-bcache@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org,
	fuse-devel@lists.sourceforge.net,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	linux-mtd@lists.infradead.org, Alexander Viro <viro@zeniv.linux.org.uk>,
	selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org,
	"Serge E. Hallyn" <serge@hallyn.com>
MIME-Version: 1.0
Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org>
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Security labels from unprivileged mounts in user namespaces must
be ignored. Force superblocks from user namespaces whose labeling
behavior is to use xattrs to use mountpoint labeling instead.
For the mountpoint label, default to converting the current task
context into a form suitable for file objects, but also allow the
policy writer to specify a different label through policy
transition rules.

Pieced together from code snippets provided by Stephen Smalley.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <james.l.morris@oracle.com>
---
 security/selinux/hooks.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a5b93df6553f..5fedc36dd6b2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -756,6 +756,28 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 			goto out;
 		}
 	}
+
+	/*
+	 * If this is a user namespace mount, no contexts are allowed
+	 * on the command line and security labels must be ignored.
+	 */
+	if (sb->s_user_ns != &init_user_ns) {
+		if (context_sid || fscontext_sid || rootcontext_sid ||
+		    defcontext_sid) {
+			rc = -EACCES;
+			goto out;
+		}
+		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
+			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
+			rc = security_transition_sid(current_sid(), current_sid(),
+						     SECCLASS_FILE, NULL,
+						     &sbsec->mntpoint_sid);
+			if (rc)
+				goto out;
+		}
+		goto out_set_opts;
+	}
+
 	/* sets the context of the superblock for the fs being mounted. */
 	if (fscontext_sid) {
 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
@@ -824,6 +846,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 		sbsec->def_sid = defcontext_sid;
 	}
 
+out_set_opts:
 	rc = sb_finish_set_opts(sb);
 out:
 	mutex_unlock(&sbsec->lock);