Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp990255imm; Wed, 19 Sep 2018 10:06:20 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZVwU3SW4EIMadEefMePi0vENOn9cVKHKwHbi6W3QJMfb622imDvEFCLpL5g05tmoce0TqO X-Received: by 2002:aa7:8118:: with SMTP id b24-v6mr37245988pfi.78.1537376780065; Wed, 19 Sep 2018 10:06:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537376780; cv=none; d=google.com; s=arc-20160816; b=U/BOQHRmb0SabFGdVz9uesZjmR2Nk1o1ucnqmDw0GPJrkTa0yJDUSirk37wxCk3sPm iWfKa4RXwuyN9jfnH6mXVn9qxnrQAFKE3ix/6NlFc/D6IxvO4N+JQAYbi28st4FXx3RR hJX8TC54hK5yQVr1DMCZ02B4+qcKRx+DCnJjEhxk6ZJUWfaxb5OTpOmi3+QQF1xK8tX0 6MZn5/VfrIDHRFhnrrlRWl2hkjjQSkHRzu2KY0qWTs6WmNlMH7UdG7FTpnIU6RiujfS4 06IC2luHVQWJkglolXlTreqZcnksWLS7jjrMsQiZQI0arV7aUtdjZwabP60aF5q9skRi f7Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=PDrygA+pPgXOqNtq2eRdNJyPzsM2uP4rpoLX9MhUTuo=; b=CbI6YsC4vGL51BlvyyK4/PGHfTSo0/XmXBLkFUpkbpTCouoJM7xyRArgr5hHRQhHkq vk85WWMDrkEh76+XyQyC66ZQ0roX6mOmb3+RHNZOZNV6uVR0bmfy4SKfq+bRxrAQW1ua XdfK3HLbmt8z1iJ1YvPjIiuc9LigBJ2KCD7JIr/kb3Ol96lcj4rKRVtMB/mkum8APMo9 zdpZ3ZcHbvEZoOUPvJgKMi59uLzUidITA+mSFEiCf9Xib4KqqfQDXraZ4xm9JdXmq162 KqJ6CYECVFQ3aO/PVBGvSXGCa4pbDHTZTVDQNq4NjX6J8WtGaLuZ5SwqwH4G+qn/W0RO 3bYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=VIC9C0kQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cisco.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m19-v6si21707582pgj.155.2018.09.19.10.06.04; Wed, 19 Sep 2018 10:06:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=VIC9C0kQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cisco.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732816AbeISWkw (ORCPT + 99 others); Wed, 19 Sep 2018 18:40:52 -0400 Received: from alln-iport-8.cisco.com ([173.37.142.95]:19315 "EHLO alln-iport-8.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727675AbeISWkw (ORCPT ); Wed, 19 Sep 2018 18:40:52 -0400 X-Greylist: delayed 556 seconds by postgrey-1.27 at vger.kernel.org; Wed, 19 Sep 2018 18:40:51 EDT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1942; q=dns/txt; s=iport; t=1537376524; x=1538586124; h=from:to:cc:subject:date:message-id; bh=9/8phNkboVaUJDEkIyGzhn37duZshtPBy0GdIjVIjYI=; b=VIC9C0kQ4XZAC4pbtJmBN8gSIHMq5tKUKuW1Rpnbmg3LI+76svugspOv mA9dVgrpdfurSVfx6ibjIWR8MB5on/kPi+WYb1q5E/I0wFPrloNjaOZNl Thuo1nChAxtCzo7uJRpjspzzFSGzQHsqhFfhtVr3ZAOUx9RFURQhN7mSZ M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AkAAA7fqJb/4ENJK1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYFQggiBZCiMCJcnjWOBeguEbIM9ITQYAQMBAQIBAQJtKIV?= =?us-ascii?q?mUoE+ARIbgwaBdQ2mSDOKERSGQ4QWF4FBP4hrIYVuApxZCZAXCxePGQGUSAI?= =?us-ascii?q?RFIFCOIFVcBWDJ4IlF44XPzCLFoJMAQE?= X-IronPort-AV: E=Sophos;i="5.53,394,1531785600"; d="scan'208";a="173406054" Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Sep 2018 16:52:50 +0000 Received: from sjc-ads-7132.cisco.com (sjc-ads-7132.cisco.com [10.30.217.207]) (authenticated bits=0) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPSA id w8JGqn6s011483 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NO); Wed, 19 Sep 2018 16:52:50 GMT From: Taras Kondratiuk To: Paul Moore , Stephen Smalley , Eric Paris Cc: selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, xe-linux-external@cisco.com Subject: [RFC PATCH] selinux: add a fallback to defcontext for native labeling Date: Wed, 19 Sep 2018 16:52:48 +0000 Message-Id: <20180919165248.53090-1-takondra@cisco.com> X-Mailer: git-send-email 2.9.3 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Authenticated-User: takondra@cisco.com X-Outbound-SMTP-Client: 10.30.217.207, sjc-ads-7132.cisco.com X-Outbound-Node: alln-core-9.cisco.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When files on NFSv4 server are not properly labeled (label doesn't match a policy on a client) they will end up with unlabeled_t type which is too generic. We would like to be able to set a default context per mount. 'defcontext' mount option looks like a nice solution, but it doesn't seem to be fully implemented for native labeling. Default context is stored, but is never used. The patch adds a fallback to a default context if a received context is invalid. If the inode context is already initialized, then it is left untouched to preserve a context set locally on a client. Signed-off-by: Taras Kondratiuk --- security/selinux/hooks.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ad9a9b8e9979..f7debe798bf5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6598,7 +6598,30 @@ static void selinux_inode_invalidate_secctx(struct inode *inode) */ static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) { - return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); + struct superblock_security_struct *sbsec; + struct inode_security_struct *isec; + int rc; + + rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); + + /* + * In case of Native labeling with defcontext mount option fall back + * to a default SID if received context is invalid. + */ + if (rc == -EINVAL) { + sbsec = inode->i_sb->s_security; + if (sbsec->behavior == SECURITY_FS_USE_NATIVE && + sbsec->flags & DEFCONTEXT_MNT) { + isec = inode->i_security; + if (!isec->initialized) { + isec->sclass = inode_mode_to_security_class(inode->i_mode); + isec->sid = sbsec->def_sid; + isec->initialized = 1; + } + rc = 0; + } + } + return rc; } /* -- 2.10.3.dirty