From patchwork Tue Apr 26 19:36:20 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 615124
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2001:1868:205::9])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3qvYLK30ZBz9t4h
	for <incoming@patchwork.ozlabs.org>;
	Wed, 27 Apr 2016 05:38:49 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=canonical-com.20150623.gappssmtp.com
	header.i=@canonical-com.20150623.gappssmtp.com
	header.b=uTffE9ZL; dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1av8nh-0002OH-Gm; Tue, 26 Apr 2016 19:37:37 +0000
Received: from mail-io0-x234.google.com ([2607:f8b0:4001:c06::234])
	by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat
	Linux)) id 1av8nN-0001xg-Eu
	for linux-mtd@lists.infradead.org; Tue, 26 Apr 2016 19:37:19 +0000
Received: by mail-io0-x234.google.com with SMTP id d62so26313586iof.2
	for <linux-mtd@lists.infradead.org>;
	Tue, 26 Apr 2016 12:36:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=Y/fgcBBMAYgRmesrs5+hi7Ak17pghx1n5F8f+cHH+ts=;
	b=uTffE9ZLfJiOnhL8NhjUkWGwKBakd6ZRUHzYoflCg8b1RXlE9onQuufHcp9ZSvGBLv
	CQ/pUdKo/GgB62g7ABkvLn0lq5we5/mebmb/LJuyC6eRujNt3tanZLUT9BSC9Bj+H7dX
	LgHgrLCekR0YCsUiMejSjY87qHpyBAs/z1vNTPARARBO65Z2Gnxyep5c9Ji0qQNx4jmG
	JjVYGDAUeCt+m9C4GPux5tmHp2dJiqQ5G0fXG+AkXdD2HzYEYd6IfuKKUCIfG5yRqSkE
	T+O3Dmn41FHfrNSUIoKvEZoSYvs+JFWbiHrF1/5ASb17e/0ghQOdFD1u8qDPiGpldJ6w
	ri8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=Y/fgcBBMAYgRmesrs5+hi7Ak17pghx1n5F8f+cHH+ts=;
	b=S9E0nLm84Upnhqai0Z+qehyfeEeyCGmeOzdA0IldgGTqy1RaSTrNhPjf+R9vFf7K4L
	JWrnQtErzP5FYZ/zTu3yMMuRuAbpEOc76zrUtYGqXsvrC7rbhdH/x/0DZenJeaeK02xz
	OY3N/rYPvF4fjEvB/SwfrpqMRPcqUjdll8h8/gpCA3K+EF//+5/Bxmc0EQ5oP5qoYRlH
	BYgX/ut6rgh29/T4i2xSg5hDB99XM7M+QsZkyIos88ceMUelErjrYz91Olb6p++EbXnx
	JIDbXgINmuzdQ6WfebwUdGVeQp3Q2WOPZ+S0GpHhjQe3+UNp1LJRBBED5LyC69yDLJHv
	lT8w==
X-Gm-Message-State: 
 AOPr4FXPmAjJpI8w4QX/WzaZkAOaAzs++/Giia+dJctNQLLb8RiCrHeZwQnk/nLtw6iznEQS
X-Received: by 10.107.142.18 with SMTP id q18mr5758923iod.84.1461699416563;
	Tue, 26 Apr 2016 12:36:56 -0700 (PDT)
Received: from localhost ([2605:a601:aab:f920:39a1:5bcf:aa:5b00])
	by smtp.gmail.com with ESMTPSA id
	i9sm2350821ioo.38.2016.04.26.12.36.55
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 26 Apr 2016 12:36:56 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>
Subject: [PATCH v4 07/21] selinux: Add support for unprivileged mounts from
	user namespaces
Date: Tue, 26 Apr 2016 14:36:20 -0500
Message-Id: <1461699396-33000-8-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com>
References: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20160426_123717_713447_970F8CD3 
X-CRM114-Status: GOOD (  13.89  )
X-Spam-Score: -2.6 (--)
X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary:
	Content analysis details:   (-2.6 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
	low
	trust [2607:f8b0:4001:c06:0:0:0:234 listed in] [list.dnswl.org]
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd/>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
Cc: linux-bcache@vger.kernel.org, Serge Hallyn <serge.hallyn@canonical.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	James Morris <james.l.morris@oracle.com>, dm-devel@redhat.com,
	Miklos Szeredi <mszeredi@redhat.com>,
	Richard Weinberger <richard.weinberger@gmail.com>,
	linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	linux-mtd@lists.infradead.org,
	Alexander Viro <viro@zeniv.linux.org.uk>, selinux@tycho.nsa.gov,
	linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org,
	Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
MIME-Version: 1.0
Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org>
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Security labels from unprivileged mounts in user namespaces must
be ignored. Force superblocks from user namespaces whose labeling
behavior is to use xattrs to use mountpoint labeling instead.
For the mountpoint label, default to converting the current task
context into a form suitable for file objects, but also allow the
policy writer to specify a different label through policy
transition rules.

Pieced together from code snippets provided by Stephen Smalley.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <james.l.morris@oracle.com>
---
 security/selinux/hooks.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1350167635cb..33beed3ac589 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -820,6 +820,28 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 			goto out;
 		}
 	}
+
+	/*
+	 * If this is a user namespace mount, no contexts are allowed
+	 * on the command line and security labels must be ignored.
+	 */
+	if (sb->s_user_ns != &init_user_ns) {
+		if (context_sid || fscontext_sid || rootcontext_sid ||
+		    defcontext_sid) {
+			rc = -EACCES;
+			goto out;
+		}
+		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
+			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
+			rc = security_transition_sid(current_sid(), current_sid(),
+						     SECCLASS_FILE, NULL,
+						     &sbsec->mntpoint_sid);
+			if (rc)
+				goto out;
+		}
+		goto out_set_opts;
+	}
+
 	/* sets the context of the superblock for the fs being mounted. */
 	if (fscontext_sid) {
 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
@@ -888,6 +910,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 		sbsec->def_sid = defcontext_sid;
 	}
 
+out_set_opts:
 	rc = sb_finish_set_opts(sb);
 out:
 	mutex_unlock(&sbsec->lock);