Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2369597imu;
        Thu, 24 Jan 2019 11:32:47 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6oHN6PZ4IVFJ3u7minUgFpZx8jH1N95yN3D4b+hMOdJ33xMB88o1Hri/Q5wyfN3vpqI3r7
X-Received: by 2002:a62:1992:: with SMTP id 140mr7835978pfz.33.1548358367349;
        Thu, 24 Jan 2019 11:32:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1548358367; cv=none;
        d=google.com; s=arc-20160816;
        b=lc+QLSFo4OuVbKE6KkZIo+iNcg6TvDjTjrGcwBz9/10wV6fAr6b8WjEoG13LhOjhKr
         gl8lKLdHXaqzfUKDO/eIH5J3+aeD5MEKx/gwMPIwO/wwu36ToAqKW/S+3tFMcq/8/2OM
         d69gZFYp6WONzXmCkC8fdHpyyzdXswiCllxv47XQZvpKINCx+Zlm6YAuUDBCgYswl0ij
         eMNSY7NMwUS0mEX96tcXHnZwAagrxpQDarrr/oZJxLlwDUihKDRKJBe/UnZatoCjAbny
         vZsWtQ19n8L/G1TCZ7Fcu/tARLaTB6VBlpY80ePUebDNLVoK6pQtv8/gN0OO6hBKBzav
         m1qA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=AzTDZx9DkhMMmn/ZEvM0Uqg5fEXkf8OJZY+amAiPeEk=;
        b=0TU2XDZeUrNTh12VhcAeRkxxYztfxZOG3BiJezoDiTh0RR+xqtHWNWWKzCs/QpTfoA
         cZVk919svWj4CLwzZVeWJzMC2LeeazhorwO1lhAWZA2n5AuHXalKJzxVqmiIp2pafENT
         w2z2iVimXCkKME2hQBkUi6ensa1vGMHniGQqbcJ8P6zQp2Rp+rYmdBBpZ5tPOcItONjb
         HPFK+7kNCgt7sJg9nTVb5Kfe/ojq99OSBjU/7DzTXUXDgDA/9QM4avb4rFji28HOSIiW
         Jo084MJuy57MgRAAAbnbR9EJxMT1ul6NZyc7ePqUJRnMKG0xHkdImVUFhBEonX/DpQks
         ltxA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=cIWqd1fw;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j21si11675891pfn.277.2019.01.24.11.32.31;
        Thu, 24 Jan 2019 11:32:47 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=cIWqd1fw;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731134AbfAXTbb (ORCPT <rfc822;ivid.suvarna@gmail.com>
        + 99 others); Thu, 24 Jan 2019 14:31:31 -0500
Received: from mail.kernel.org ([198.145.29.99]:59184 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730552AbfAXTbZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 Jan 2019 14:31:25 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 2F917218FC;
        Thu, 24 Jan 2019 19:31:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1548358284;
        bh=jUx2C1YjMcTmqYYhY3CHFjd4Vc7KRs3r3+HAi4idVbY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=cIWqd1fwkHQKYtjThUbJTBym5/BZ7EU081VTPNdiOtQ2r1ANf2pHejd2p9n7V61k7
         g8YdniM8TRRqpBCvPJwNH3bptPvTzPjnFv0DKJzKCAIEdQQEp9ECJh0ZtC+DGjh+29
         mOyHBExQjgvVSLTzv0g7Tr5hCJTPeGLhQO/0/hxk=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Ondrej Mosnacek <omosnace@redhat.com>,
        Paul Moore <paul@paul-moore.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 19/63] selinux: always allow mounting submounts
Date:   Thu, 24 Jan 2019 20:20:08 +0100
Message-Id: <20190124190157.347272568@linuxfoundation.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190124190155.176570028@linuxfoundation.org>
References: <20190124190155.176570028@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 2cbdcb882f97a45f7475c67ac6257bbc16277dfe ]

If a superblock has the MS_SUBMOUNT flag set, we should always allow
mounting it. These mounts are done automatically by the kernel either as
part of mounting some parent mount (e.g. debugfs always mounts tracefs
under "tracing" for compatibility) or they are mounted automatically as
needed on subdirectory accesses (e.g. NFS crossmnt mounts). Since such
automounts are either an implicit consequence of the parent mount (which
is already checked) or they can happen during regular accesses (where it
doesn't make sense to check against the current task's context), the
mount permission check should be skipped for them.

Without this patch, attempts to access contents of an automounted
directory can cause unexpected SELinux denials.

In the current kernel tree, the MS_SUBMOUNT flag is set only via
vfs_submount(), which is called only from the following places:
 - AFS, when automounting special "symlinks" referencing other cells
 - CIFS, when automounting "referrals"
 - NFS, when automounting subtrees
 - debugfs, when automounting tracefs

In all cases the submounts are meant to be transparent to the user and
it makes sense that if mounting the master is allowed, then so should be
the automounts. Note that CAP_SYS_ADMIN capability checking is already
skipped for (SB_KERNMOUNT|SB_SUBMOUNT) in:
 - sget_userns() in fs/super.c:
	if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) &&
	    !(type->fs_flags & FS_USERNS_MOUNT) &&
	    !capable(CAP_SYS_ADMIN))
		return ERR_PTR(-EPERM);
 - sget() in fs/super.c:
        /* Ensure the requestor has permissions over the target filesystem */
        if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN))
                return ERR_PTR(-EPERM);

Verified internally on patched RHEL 7.6 with a reproducer using
NFS+httpd and selinux-tesuite.

Fixes: 93faccbbfa95 ("fs: Better permission checking for submounts")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 security/selinux/hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f5d304736852..d6b9ed34ceae 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2820,7 +2820,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
 		return rc;
 
 	/* Allow all mounts performed by the kernel */
-	if (flags & MS_KERNMOUNT)
+	if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
 		return 0;
 
 	ad.type = LSM_AUDIT_DATA_DENTRY;
-- 
2.19.1