Commit aad82892 authored by Seth Forshee's avatar Seth Forshee Committed by Eric W. Biederman

selinux: Add support for unprivileged mounts from user namespaces

Security labels from unprivileged mounts in user namespaces must
be ignored. Force superblocks from user namespaces whose labeling
behavior is to use xattrs to use mountpoint labeling instead.
For the mountpoint label, default to converting the current task
context into a form suitable for file objects, but also allow the
policy writer to specify a different label through policy
transition rules.

Pieced together from code snippets provided by Stephen Smalley.
Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Acked-by: default avatarJames Morris <james.l.morris@oracle.com>
Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent 809c02e0
...@@ -830,6 +830,28 @@ static int selinux_set_mnt_opts(struct super_block *sb, ...@@ -830,6 +830,28 @@ static int selinux_set_mnt_opts(struct super_block *sb,
goto out; goto out;
} }
} }
/*
* If this is a user namespace mount, no contexts are allowed
* on the command line and security labels must be ignored.
*/
if (sb->s_user_ns != &init_user_ns) {
if (context_sid || fscontext_sid || rootcontext_sid ||
defcontext_sid) {
rc = -EACCES;
goto out;
}
if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
rc = security_transition_sid(current_sid(), current_sid(),
SECCLASS_FILE, NULL,
&sbsec->mntpoint_sid);
if (rc)
goto out;
}
goto out_set_opts;
}
/* sets the context of the superblock for the fs being mounted. */ /* sets the context of the superblock for the fs being mounted. */
if (fscontext_sid) { if (fscontext_sid) {
rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
...@@ -898,6 +920,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, ...@@ -898,6 +920,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
sbsec->def_sid = defcontext_sid; sbsec->def_sid = defcontext_sid;
} }
out_set_opts:
rc = sb_finish_set_opts(sb); rc = sb_finish_set_opts(sb);
out: out:
mutex_unlock(&sbsec->lock); mutex_unlock(&sbsec->lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment