Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp7507913pxb; Thu, 18 Feb 2021 11:56:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJxoNO0nKw1K3NCCHoO7KKTiLU1X2wlyB0eVOy9BoiKQddDW6HMAKGF0w4nD67V14OMWOl36 X-Received: by 2002:aa7:c58a:: with SMTP id g10mr2875971edq.243.1613678197864; Thu, 18 Feb 2021 11:56:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613678197; cv=none; d=google.com; s=arc-20160816; b=mUrSjW3EABjRPpokgXP4+XuHJFCP1b7+YP/9AX72Jrk6l+1rmP4m1k5hEVsGD5Lvcc nHuj0XDtL53eQMOF9bx/KYshJiyIL/O0fe/BynN/6nXCLU+a70xeJQsc7y2GhZV+yRTX 1ZNMMUEZoLs1LxsRQI5aWznoCOaUT5fKXRGY2U7LnBstP+3OP3YQfi1+iU7G11hVOnrY L76iCq6YwnUoP9ERSn783b9D7Wzzv4s7fyhtN3qa75+dUQwAiYLj2vHzjVFAJ0FA29yv cxTuTh9MmShQaguTWEQg4iOHWZP8nLMR3DGjbEn0MumQl14C1kcQUlHpXREZfHEBtgV+ J3kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:dkim-signature; bh=K6aHBRmdypFoZiI71V8Og9gbf+Km/fM8W6HWxpGfeXQ=; b=TTM+TEe7lCQVKvjKxMmYYcbsaEdcdWbl/35YoN4XQpmZQUfvZYXRzSfk7cONlVQZtM jJ4xo8VQou2PFziU8xjLO4Q4S2JU765lds/Vm2+mmFLv+Y4SOvBIVan21f8WPhk1107W HJQ46yMyMDNYcNjB/CstQ5Uoqm+YGXzf/qmSSxwKRR0wThs8G6LlIYLtl7eDAGSPEZWI nx05zCgBa98hKL+k1YW9P4DHef2SOyPu15a2kp5OOdQBYnRJjKlOiheG0lvgEPantAuJ xpj6a1xjNGYcAYtgIWXD5tlTTQ0fqFohNygmBgQ3/r2xz4U3/nisnXlSv18xTW0YFumR 8m8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=erQWjgXG; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dn22si2744771edb.51.2021.02.18.11.56.14; Thu, 18 Feb 2021 11:56:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=erQWjgXG; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231403AbhBRTyz (ORCPT + 99 others); Thu, 18 Feb 2021 14:54:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231964AbhBRTvb (ORCPT ); Thu, 18 Feb 2021 14:51:31 -0500 Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B0A51C06178C; Thu, 18 Feb 2021 11:50:51 -0800 (PST) Received: by mail-il1-x134.google.com with SMTP id e7so2536579ile.7; Thu, 18 Feb 2021 11:50:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=K6aHBRmdypFoZiI71V8Og9gbf+Km/fM8W6HWxpGfeXQ=; b=erQWjgXGJhU52QPR4k1WOcTSGJneg5gJIguR3V794M4+F1i3PtDtfwrMOz0cX+8cDa +Ml0JU67SeB548qFcxNWhWdm5TRkrzaVQvAd93FV1TLPeKrLnwxnHqn0omeIFk4pHE8h xI39NCps/7jI8ntQbZ7aRH2ss1wa/EatdE3Mfs6K3j5A14oaFxhpPMCI6mmLjktU/S5B JOlQHj+qWUuDBKDSb+g2ykqgf2xmGLj+z0Mi6A/FLobs9TgAQ9M4Ii/evvHCeY6eaOJU k3MN2OVccDHzk7sjD7o04tcwyhROIkOiqRrS3YQD+TZs2ivkHAYdTP/NL72WgKMQBUvx +CJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=K6aHBRmdypFoZiI71V8Og9gbf+Km/fM8W6HWxpGfeXQ=; b=IFel2sbj6xUKJjX8oOVp4kX3ZkbRxe6llOYtHwiFnqUGExAsEhKOMRrq5KOFfydLBU Gq2+NiZzCau+z6BSvFM/MLLjr7mrR9AdE2RzALUUWanjzPfJ5HO66UlKR+kVz5Hdyy2+ z4S8m6bVvcpH/RobAlOYcTfctJI44TgMxwXiLGH82RNijU/VTQfYoxMPf7/WaCU4rih0 0y8OrfmGtIollK7BTpt1m9QVHSY6BUUeSDzg1F/9dP+Lunff3Bisg7CtKh6zFqueskqn epyf+J54qViDa/aS+NHBNvqQLofQQkENL5jfHObk9vPYl65/ck5RbArM5ZU3FoqOXcJY ULMg== X-Gm-Message-State: AOAM530HxKy14PiucZixHpUNqYIc88E9q/khGADZnYI7iZfbB6JJfPrq 4w5NdfbuCchaqEk7Dl7hJ6E= X-Received: by 2002:a05:6e02:20ca:: with SMTP id 10mr753047ilq.14.1613677851212; Thu, 18 Feb 2021 11:50:51 -0800 (PST) Received: from Olgas-MBP-470.attlocal.net (172-10-226-31.lightspeed.livnmi.sbcglobal.net. [172.10.226.31]) by smtp.gmail.com with ESMTPSA id l7sm5264557ils.48.2021.02.18.11.50.50 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 18 Feb 2021 11:50:50 -0800 (PST) From: Olga Kornievskaia To: trond.myklebust@hammerspace.com, anna.schumaker@netapp.com Cc: linux-nfs@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v2 2/2] NFSv4 account for selinux security context when deciding to share superblock Date: Thu, 18 Feb 2021 14:50:46 -0500 Message-Id: <20210218195046.19280-2-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.10.1 (Apple Git-78) In-Reply-To: <20210218195046.19280-1-olga.kornievskaia@gmail.com> References: <20210218195046.19280-1-olga.kornievskaia@gmail.com> Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Olga Kornievskaia Keep track of whether or not there was an selinux context mount options during the mount. While deciding if the superblock can be shared for the new mount, check for if we had selinux context on the existing mount and call into selinux to tell if new passed in selinux context is compatible with the existing mount's options. Previously, NFS wasn't able to do the following 2mounts: mount -o vers=4.2,sec=sys,context=system_u:object_r:root_t:s0 :/ /mnt mount -o vers=4.2,sec=sys,context=system_u:object_r:swapfile_t:s0 :/scratch /scratch 2nd mount would fail with "mount.nfs: an incorrect mount option was specified" and var log messages would have: "SElinux: mount invalid. Same superblock, different security settings for.." Signed-off-by: Olga Kornievskaia --- fs/nfs/fs_context.c | 3 +++ fs/nfs/internal.h | 1 + fs/nfs/super.c | 4 ++++ include/linux/nfs_fs_sb.h | 1 + 4 files changed, 9 insertions(+) diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c index 06894bcdea2d..8067f055d842 100644 --- a/fs/nfs/fs_context.c +++ b/fs/nfs/fs_context.c @@ -448,6 +448,9 @@ static int nfs_fs_context_parse_param(struct fs_context *fc, if (opt < 0) return ctx->sloppy ? 1 : opt; + if (fc->security) + ctx->has_sec_mnt_opts = 1; + switch (opt) { case Opt_source: if (fc->source) diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h index 62d3189745cd..08f4f34e8cf5 100644 --- a/fs/nfs/internal.h +++ b/fs/nfs/internal.h @@ -96,6 +96,7 @@ struct nfs_fs_context { char *fscache_uniq; unsigned short protofamily; unsigned short mountfamily; + bool has_sec_mnt_opts; struct { union { diff --git a/fs/nfs/super.c b/fs/nfs/super.c index 4034102010f0..0a2d252cf90f 100644 --- a/fs/nfs/super.c +++ b/fs/nfs/super.c @@ -1058,6 +1058,7 @@ static void nfs_fill_super(struct super_block *sb, struct nfs_fs_context *ctx) &sb->s_blocksize_bits); nfs_super_set_maxbytes(sb, server->maxfilesize); + server->has_sec_mnt_opts = ctx->has_sec_mnt_opts; } static int nfs_compare_mount_options(const struct super_block *s, const struct nfs_server *b, @@ -1174,6 +1175,9 @@ static int nfs_compare_super(struct super_block *sb, struct fs_context *fc) return 0; if (!nfs_compare_userns(old, server)) return 0; + if ((old->has_sec_mnt_opts || fc->security) && + security_sb_mnt_opts_compat(sb, fc->security)) + return 0; return nfs_compare_mount_options(sb, server, fc); } diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h index 38e60ec742df..3f0acada5794 100644 --- a/include/linux/nfs_fs_sb.h +++ b/include/linux/nfs_fs_sb.h @@ -254,6 +254,7 @@ struct nfs_server { /* User namespace info */ const struct cred *cred; + bool has_sec_mnt_opts; }; /* Server capabilities */ -- 2.27.0