Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753223AbbGWN7M (ORCPT ); Thu, 23 Jul 2015 09:59:12 -0400 Received: from emvm-gh1-uea09.nsa.gov ([63.239.67.10]:57825 "EHLO emvm-gh1-uea09.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752849AbbGWN66 (ORCPT ); Thu, 23 Jul 2015 09:58:58 -0400 X-TM-IMSS-Message-ID: Message-ID: <55B0F2C0.8070709@tycho.nsa.gov> Date: Thu, 23 Jul 2015 09:57:20 -0400 From: Stephen Smalley Organization: National Security Agency User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Seth Forshee CC: Serge Hallyn , selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, Andy Lutomirski , linux-security-module@vger.kernel.org, Alexander Viro , James Morris , linux-fsdevel@vger.kernel.org, Casey Schaufler Subject: Re: [PATCH 6/7] selinux: Ignore security labels on user namespace mounts References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com> <1436989569-69582-7-git-send-email-seth.forshee@canonical.com> <55A7B055.4050809@tycho.nsa.gov> <55AFBE85.6010809@tycho.nsa.gov> <20150722161422.GC124342@ubuntu-hedt> <55AFFC32.6070701@tycho.nsa.gov> <55AFFFBD.8040907@tycho.nsa.gov> In-Reply-To: <55AFFFBD.8040907@tycho.nsa.gov> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5174 Lines: 117 On 07/22/2015 04:40 PM, Stephen Smalley wrote: > On 07/22/2015 04:25 PM, Stephen Smalley wrote: >> On 07/22/2015 12:14 PM, Seth Forshee wrote: >>> On Wed, Jul 22, 2015 at 12:02:13PM -0400, Stephen Smalley wrote: >>>> On 07/16/2015 09:23 AM, Stephen Smalley wrote: >>>>> On 07/15/2015 03:46 PM, Seth Forshee wrote: >>>>>> Unprivileged users should not be able to supply security labels >>>>>> in filesystems, nor should they be able to supply security >>>>>> contexts in unprivileged mounts. For any mount where s_user_ns is >>>>>> not init_user_ns, force the use of SECURITY_FS_USE_NONE behavior >>>>>> and return EPERM if any contexts are supplied in the mount >>>>>> options. >>>>>> >>>>>> Signed-off-by: Seth Forshee >>>>> >>>>> I think this is obsoleted by the subsequent discussion, but just for the >>>>> record: this patch would cause the files in the userns mount to be left >>>>> with the "unlabeled" label, and therefore under typical policies, >>>>> completely inaccessible to any process in a confined domain. >>>> >>>> The right way to handle this for SELinux would be to automatically use >>>> mountpoint labeling (SECURITY_FS_USE_MNTPOINT, normally set by >>>> specifying a context= mount option), with the sbsec->mntpoint_sid set >>>> from some related object (e.g. the block device file context, as in your >>>> patches for Smack). That will cause SELinux to use that value instead >>>> of any xattr value from the filesystem and will cause attempts by >>>> userspace to set the security.selinux xattr to fail on that filesystem. >>>> That is how SELinux normally deals with untrusted filesystems, except >>>> that it is normally specified as a mount option by a trusted mounting >>>> process, whereas in your case you need to automatically set it. >>> >>> Excellent, thank you for the advice. I'll start on this when I've >>> finished with Smack. >> >> Not tested, but something like this should work. Note that it should >> come after the call to security_fs_use() so we know whether SELinux >> would even try to use xattrs supplied by the filesystem in the first place. >> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >> index 564079c..84da3a2 100644 >> --- a/security/selinux/hooks.c >> +++ b/security/selinux/hooks.c >> @@ -745,6 +745,30 @@ static int selinux_set_mnt_opts(struct super_block *sb, >> goto out; >> } >> } >> + >> + /* >> + * If this is a user namespace mount, no contexts are allowed >> + * on the command line and security labels must be ignored. >> + */ >> + if (sb->s_user_ns != &init_user_ns) { >> + if (context_sid || fscontext_sid || rootcontext_sid || >> + defcontext_sid) { >> + rc = -EACCES; >> + goto out; >> + } >> + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { >> + struct block_device *bdev = sb->s_bdev; >> + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; >> + if (bdev) { >> + struct inode_security_struct *isec = >> bdev->bd_inode; > > That should be bdev->bd_inode->i_security. Sorry, this won't work. bd_inode is not the inode of the block device file that was passed to mount, and it isn't labeled in any way. It will just be unlabeled. So I guess the only real option here as a fallback is sbsec->mntpoint_sid = current_sid(). Which isn't great either, as the only case where we currently assign task labels to files is for their /proc/pid inodes, and no current policy will therefore allow create permission to such files. > >> + sbsec->mntpoint_sid = isec->sid; >> + } else { >> + sbsec->mntpoint_sid = current_sid(); >> + } >> + } >> + goto out_set_opts; >> + } >> + >> /* sets the context of the superblock for the fs being mounted. */ >> if (fscontext_sid) { >> rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, >> cred); >> @@ -813,6 +837,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, >> sbsec->def_sid = defcontext_sid; >> } >> >> +out_set_opts: >> rc = sb_finish_set_opts(sb); >> out: >> mutex_unlock(&sbsec->lock); >> >> _______________________________________________ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. >> > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/