Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753754AbbGWOjd (ORCPT ); Thu, 23 Jul 2015 10:39:33 -0400 Received: from mail-oi0-f47.google.com ([209.85.218.47]:33301 "EHLO mail-oi0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752894AbbGWOj0 (ORCPT ); Thu, 23 Jul 2015 10:39:26 -0400 Date: Thu, 23 Jul 2015 09:39:20 -0500 From: Seth Forshee To: Stephen Smalley Cc: Serge Hallyn , selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, Andy Lutomirski , linux-security-module@vger.kernel.org, Alexander Viro , James Morris , linux-fsdevel@vger.kernel.org, Casey Schaufler Subject: Re: [PATCH 6/7] selinux: Ignore security labels on user namespace mounts Message-ID: <20150723143920.GA25235@ubuntu-hedt> References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com> <1436989569-69582-7-git-send-email-seth.forshee@canonical.com> <55A7B055.4050809@tycho.nsa.gov> <55AFBE85.6010809@tycho.nsa.gov> <20150722161422.GC124342@ubuntu-hedt> <55AFFC32.6070701@tycho.nsa.gov> <55AFFFBD.8040907@tycho.nsa.gov> <55B0F2C0.8070709@tycho.nsa.gov> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <55B0F2C0.8070709@tycho.nsa.gov> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4352 Lines: 87 On Thu, Jul 23, 2015 at 09:57:20AM -0400, Stephen Smalley wrote: > On 07/22/2015 04:40 PM, Stephen Smalley wrote: > > On 07/22/2015 04:25 PM, Stephen Smalley wrote: > >> On 07/22/2015 12:14 PM, Seth Forshee wrote: > >>> On Wed, Jul 22, 2015 at 12:02:13PM -0400, Stephen Smalley wrote: > >>>> On 07/16/2015 09:23 AM, Stephen Smalley wrote: > >>>>> On 07/15/2015 03:46 PM, Seth Forshee wrote: > >>>>>> Unprivileged users should not be able to supply security labels > >>>>>> in filesystems, nor should they be able to supply security > >>>>>> contexts in unprivileged mounts. For any mount where s_user_ns is > >>>>>> not init_user_ns, force the use of SECURITY_FS_USE_NONE behavior > >>>>>> and return EPERM if any contexts are supplied in the mount > >>>>>> options. > >>>>>> > >>>>>> Signed-off-by: Seth Forshee > >>>>> > >>>>> I think this is obsoleted by the subsequent discussion, but just for the > >>>>> record: this patch would cause the files in the userns mount to be left > >>>>> with the "unlabeled" label, and therefore under typical policies, > >>>>> completely inaccessible to any process in a confined domain. > >>>> > >>>> The right way to handle this for SELinux would be to automatically use > >>>> mountpoint labeling (SECURITY_FS_USE_MNTPOINT, normally set by > >>>> specifying a context= mount option), with the sbsec->mntpoint_sid set > >>>> from some related object (e.g. the block device file context, as in your > >>>> patches for Smack). That will cause SELinux to use that value instead > >>>> of any xattr value from the filesystem and will cause attempts by > >>>> userspace to set the security.selinux xattr to fail on that filesystem. > >>>> That is how SELinux normally deals with untrusted filesystems, except > >>>> that it is normally specified as a mount option by a trusted mounting > >>>> process, whereas in your case you need to automatically set it. > >>> > >>> Excellent, thank you for the advice. I'll start on this when I've > >>> finished with Smack. > >> > >> Not tested, but something like this should work. Note that it should > >> come after the call to security_fs_use() so we know whether SELinux > >> would even try to use xattrs supplied by the filesystem in the first place. > >> > >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > >> index 564079c..84da3a2 100644 > >> --- a/security/selinux/hooks.c > >> +++ b/security/selinux/hooks.c > >> @@ -745,6 +745,30 @@ static int selinux_set_mnt_opts(struct super_block *sb, > >> goto out; > >> } > >> } > >> + > >> + /* > >> + * If this is a user namespace mount, no contexts are allowed > >> + * on the command line and security labels must be ignored. > >> + */ > >> + if (sb->s_user_ns != &init_user_ns) { > >> + if (context_sid || fscontext_sid || rootcontext_sid || > >> + defcontext_sid) { > >> + rc = -EACCES; > >> + goto out; > >> + } > >> + if (sbsec->behavior == SECURITY_FS_USE_XATTR) { > >> + struct block_device *bdev = sb->s_bdev; > >> + sbsec->behavior = SECURITY_FS_USE_MNTPOINT; > >> + if (bdev) { > >> + struct inode_security_struct *isec = > >> bdev->bd_inode; > > > > That should be bdev->bd_inode->i_security. > > Sorry, this won't work. bd_inode is not the inode of the block device > file that was passed to mount, and it isn't labeled in any way. It will > just be unlabeled. > > So I guess the only real option here as a fallback is > sbsec->mntpoint_sid = current_sid(). Which isn't great either, as the > only case where we currently assign task labels to files is for their > /proc/pid inodes, and no current policy will therefore allow create > permission to such files. Darn, you're right, that isn't the inode we want. There really doesn't seem to be any way to get back to the one we want from the LSM, short of adding a new hook. Seth -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/