From patchwork Fri Apr 22 15:38:24 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 613744
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2001:1868:205::9])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3qs0Fg1CRYz9t4h
	for <incoming@patchwork.ozlabs.org>;
	Sat, 23 Apr 2016 01:40:55 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=canonical-com.20150623.gappssmtp.com
	header.i=@canonical-com.20150623.gappssmtp.com
	header.b=exkQE4mh; dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1atdBO-0002GO-Kp; Fri, 22 Apr 2016 15:39:50 +0000
Received: from mail-ob0-x235.google.com ([2607:f8b0:4003:c01::235])
	by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat
	Linux)) id 1atdB3-0001fL-0t
	for linux-mtd@lists.infradead.org; Fri, 22 Apr 2016 15:39:29 +0000
Received: by mail-ob0-x235.google.com with SMTP id bg3so50697259obb.1
	for <linux-mtd@lists.infradead.org>;
	Fri, 22 Apr 2016 08:39:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=AE9Glh7PFyZk66TdZ44xHAtAexwc6iutT3qbCqRsTYc=;
	b=exkQE4mh1GHxRn5+zO03GCJrGQWfDKPqQ2wDdUTckklAST8paaN8st5DJR9JwV1/wY
	Sl/dcmJpsLznC61lj66sizCCcMJ/tFrqFK0Cz5oNk7wtkKeVBDtz4TVhYmMtSbjD08lw
	CRuzh/XsgyqaeiVGGrAVsJZyWMP30poOfbiU9Y8Tl6k2dVNHqXAGskaKXYC/djHm2TfR
	fBb8VE5LQJhm9n/6AEasfQ8AzCGTKGMTUdm3XT7YYZlgi8/i+n9XfJLkWh629PbDSmEG
	d7Nh4gDXDsptvu8Gsa6L1y31J7IIwtx14Oy221HK174K2OqYkRUrmlXfZD2WDq+5F8oV
	YNLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=AE9Glh7PFyZk66TdZ44xHAtAexwc6iutT3qbCqRsTYc=;
	b=R/boNrbjN6oqtPotf/Bb6Sd3iwIOn3XoRwx9blNLiPFxH62ntkRIf83Ou9LwWyttIc
	+NVCalYvvDvKtmxNJo0YwBLxxi1Y9e0FDx1fK39pjoQHmgateCcFkZrBOAoJcJWWMF+5
	sCwuTrd8kgDv+yM/fXroIaxhFxzs7PJCGydZHCw0lTibRrwISKCQT3jgJqPGWKwymYoo
	S3/1PUcCBz8QqK0yclgW+Q1BdSqP40R3R404bfPmVaSQZkvR62Sem5m2DXUcR7mH7eEY
	+SeED6go6+KrzhOem29V0jCMj4injv+Ku3omB1Ztke5OgqlZRG25+RXYBq84ZGOXQrtD
	rzjQ==
X-Gm-Message-State: 
 AOPr4FWuvF8c1ShFyCf3Lce0FHarfC5Ocupw3tfzAHQKRc2Qbg6eItN6iSgqbgQuw/jgx/Ls
X-Received: by 10.60.52.177 with SMTP id u17mr1801989oeo.61.1461339548018;
	Fri, 22 Apr 2016 08:39:08 -0700 (PDT)
Received: from localhost ([2605:a601:aab:f920:ad1c:41df:dcb1:a4a0])
	by smtp.gmail.com with ESMTPSA id
	ed8sm2094352obb.19.2016.04.22.08.39.07
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Fri, 22 Apr 2016 08:39:07 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>
Subject: [PATCH v3 07/21] selinux: Add support for unprivileged mounts from
	user namespaces
Date: Fri, 22 Apr 2016 10:38:24 -0500
Message-Id: <1461339521-123191-8-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1461339521-123191-1-git-send-email-seth.forshee@canonical.com>
References: <1461339521-123191-1-git-send-email-seth.forshee@canonical.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20160422_083929_278509_E3DF58D1 
X-CRM114-Status: GOOD (  12.70  )
X-Spam-Score: -2.6 (--)
X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary:
	Content analysis details:   (-2.6 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
	low
	trust [2607:f8b0:4003:c01:0:0:0:235 listed in] [list.dnswl.org]
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd/>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
Cc: linux-bcache@vger.kernel.org, Serge Hallyn <serge.hallyn@canonical.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	James Morris <james.l.morris@oracle.com>, dm-devel@redhat.com,
	Miklos Szeredi <mszeredi@redhat.com>,
	Richard Weinberger <richard.weinberger@gmail.com>,
	linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	linux-mtd@lists.infradead.org,
	Alexander Viro <viro@zeniv.linux.org.uk>, selinux@tycho.nsa.gov,
	linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org,
	Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
MIME-Version: 1.0
Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org>
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Security labels from unprivileged mounts in user namespaces must
be ignored. Force superblocks from user namespaces whose labeling
behavior is to use xattrs to use mountpoint labeling instead.
For the mountpoint label, default to converting the current task
context into a form suitable for file objects, but also allow the
policy writer to specify a different label through policy
transition rules.

Pieced together from code snippets provided by Stephen Smalley.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <james.l.morris@oracle.com>
---
 security/selinux/hooks.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1350167635cb..33beed3ac589 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -820,6 +820,28 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 			goto out;
 		}
 	}
+
+	/*
+	 * If this is a user namespace mount, no contexts are allowed
+	 * on the command line and security labels must be ignored.
+	 */
+	if (sb->s_user_ns != &init_user_ns) {
+		if (context_sid || fscontext_sid || rootcontext_sid ||
+		    defcontext_sid) {
+			rc = -EACCES;
+			goto out;
+		}
+		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
+			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
+			rc = security_transition_sid(current_sid(), current_sid(),
+						     SECCLASS_FILE, NULL,
+						     &sbsec->mntpoint_sid);
+			if (rc)
+				goto out;
+		}
+		goto out_set_opts;
+	}
+
 	/* sets the context of the superblock for the fs being mounted. */
 	if (fscontext_sid) {
 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
@@ -888,6 +910,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 		sbsec->def_sid = defcontext_sid;
 	}
 
+out_set_opts:
 	rc = sb_finish_set_opts(sb);
 out:
 	mutex_unlock(&sbsec->lock);