Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp823486ybh; Tue, 10 Mar 2020 08:55:10 -0700 (PDT) X-Google-Smtp-Source: ADFU+vsFMkLKj17RGLf24+bpzuFAR2VWXQTMpzkBCHxsBqAhb00pkVow0qQRglkKvPBQDdeER2oB X-Received: by 2002:aca:918:: with SMTP id 24mr1670968oij.35.1583855709981; Tue, 10 Mar 2020 08:55:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583855709; cv=none; d=google.com; s=arc-20160816; b=z5phAS2scMLV9HZ6CALo8jlhjpnxJh1fkoQ9Be01Wewbu51rqp1glUybEqHWzMTnuZ r90lF7fZqjIu/gHfNfuxJ+rTcoLI8Eqvxu0QRDngu7ECPhNbtd6WqGT5NwYJkERlZNry U4zdue34a4lS8F4iVVB88JimYKfRKJdi5HX2zRbVYNZS71JkkhiUvrF3TfMpoSJYewmo 4ZuS9qYt9aKYuY/GYMDxmGf0pu7yyiGf/NxQUC7qbuyc/gnQfigcSu1KP1fSp7XYZiqR UdFrGmO75w9b4KyXys+kvtEbsg1+n7GDTetDkVd3SwcVX8S7jU+gje+jdrg/o8nCYF8e ZgOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=NRfrf9uwWwOzURVwboVTmqZ/Om3tFIulQBv9KnWA3aI=; b=fqwRRuYXiHEoPGYMTliYuPjKR/VFSpOVxaQhMGoXTnAb7sF5+w93siS/Zf7H3lx/Ij wahripBJUid16O0YPVnkJDqwleMSq1QVJyOvm/t8zSZu6P5MTdT/0aQcDTD6u3Czyn9g sHC0Cpgg7ZEj4AXcpN1Bds+3F5hAt9yjW7ISvQ0FXqS27Qdo53WFrHMkfuYV+1924Z2o VODzO7KUWyFNoSCK5ZUi7lAiSiQUKyhiRBeb528/K2P1vEryquaeAmBEgG4oCH8Hq1GF FcsuAg0FmdhTPw6U1oWlGohOAO//RohEbLIVEyQl9SU7Jy4fQ+1xtzCRjxUvHkWspET4 J8Dw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jFOZN4y9; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w21si1750960oia.257.2020.03.10.08.54.47; Tue, 10 Mar 2020 08:55:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jFOZN4y9; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726445AbgCJPyC (ORCPT + 99 others); Tue, 10 Mar 2020 11:54:02 -0400 Received: from mail-ot1-f68.google.com ([209.85.210.68]:33073 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726436AbgCJPyB (ORCPT ); Tue, 10 Mar 2020 11:54:01 -0400 Received: by mail-ot1-f68.google.com with SMTP id g15so7512490otr.0; Tue, 10 Mar 2020 08:53:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NRfrf9uwWwOzURVwboVTmqZ/Om3tFIulQBv9KnWA3aI=; b=jFOZN4y99y/PkgvvbFm9LZrZf/4i0NMBed8D+GEisSHZ4YR3+T6WwfbjZjD2jaheYu E4bmrjwXjzAp9TkB3ZCldH3rXxkK6xIDXsrI/srDYPJz/dTQ7/sP8ADec6UrPjrnwdh/ vSGNCjqpRoPpbW3Wxt2cCOKpSJS+gcY5TqVKf/3BoNtMfw7F/lpYvIGeCmHyRDnzcswG VoKrn0ZYNrJoQty84RvIkHxkONoGv9d1HzcEjEn76gGIg8Mo8CpJgrxFmB8OkVQUCWpr BA8XKS5UP//iJIimJ0L3UY9/eBfR0N7SDNKpmKQW66+cpewnOyDYvK+/OWrVSxcvUOKI Y70A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NRfrf9uwWwOzURVwboVTmqZ/Om3tFIulQBv9KnWA3aI=; b=rrQBvGBp9Jw9Qh0NVC82/az0pzqOlTcYhfHNrTOZdWc+FM0MTTTySytLB942L0UuwW A2jNltVwLRVROsy8mbSF2gRe8UCIQsRUgVCYM4F+2PDQxv8cPNz1WZt2+negSqwMyD7P 2QtsUjCWKsEhpCjlRIAoHSNiBNfWnDV9ZJ8e+3/uP6qh/K+8/iiJcSHLrIiMqkowwYP6 pWpOcJseHK2Oqh0UHtCLtUaeI7dSAhQKB9UTxbmoVMBfJ/CGy3vwge/VEKtEnhZHKDQT 7bQdDp4MvGOjnQYIhZ4r8intJOms9FazoMOpe9TPMJeUMQV8bjitke62kO6alygAowDw tgVQ== X-Gm-Message-State: ANhLgQ0jYGMzlGz/LzPUBY3wScxSDQ0vxYxWQgbO83K4D5S2bNwQQM0C RPQ6H22VUMsIvV9skfBzdMXMQqRTLYnoydrgI6E= X-Received: by 2002:a9d:76c9:: with SMTP id p9mr17434886otl.135.1583855639245; Tue, 10 Mar 2020 08:53:59 -0700 (PDT) MIME-Version: 1.0 References: <20200303225837.1557210-1-smayhew@redhat.com> In-Reply-To: <20200303225837.1557210-1-smayhew@redhat.com> From: Stephen Smalley Date: Tue, 10 Mar 2020 11:54:48 -0400 Message-ID: Subject: Re: [PATCH] NFS: Ensure security label is set for root inode To: Scott Mayhew Cc: trond.myklebust@hammerspace.com, anna.schumaker@netapp.com, Richard Haines , bfields@fieldses.org, Paul Moore , Stephen Smalley , linux-nfs@vger.kernel.org, SElinux list Content-Type: text/plain; charset="UTF-8" Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Tue, Mar 3, 2020 at 5:59 PM Scott Mayhew wrote: > > When using NFSv4.2, the security label for the root inode should be set > via a call to nfs_setsecurity() during the mount process, otherwise the > inode will appear as unlabeled for up to acdirmin seconds. Currently > the label for the root inode is allocated, retrieved, and freed entirely > witin nfs4_proc_get_root(). > > Add a field for the label to the nfs_fattr struct, and allocate & free > the label in nfs_get_root(), where we also add a call to > nfs_setsecurity(). Note that for the call to nfs_setsecurity() to > succeed, it's necessary to also move the logic calling > security_sb_{set,clone}_security() from nfs_get_tree_common() down into > nfs_get_root()... otherwise the SBLABEL_MNT flag will not be set in the > super_block's security flags and nfs_setsecurity() will silently fail. > > Reported-by: Richard Haines > Signed-off-by: Scott Mayhew Acked-by: Stephen Smalley Tested-by: Stephen Smalley