Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1240619pxf; Fri, 19 Mar 2021 02:33:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxOI1/c4CECsrDX60gLiRSGZ2UwgYJ6M1Cgs46EGpVHrLbNBnyRgUy1vrnPVUwDFICjmsIa X-Received: by 2002:a17:906:2ac1:: with SMTP id m1mr3272304eje.472.1616146382232; Fri, 19 Mar 2021 02:33:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616146382; cv=none; d=google.com; s=arc-20160816; b=bcchaDt7Ay4cYqudRH+u+w2YNkAnbzfSPNeEe7OmMZjpU/covevNadElmjRiUz8BFv +lJB5sKk9rYFpqFiCO2X1Gan7W4/R9Ca1szioRbyHopzg0bOxpPpxqOBRb2RM45xVPq7 oLkW+srpcQW1uTJUjIZmSEaB1XoqqcDD48SLVgl77QyNS/EyzYVGLVZHWbGB63UDocRw 1TuHDB43Q2YbOtv6+zSQfH6LnV8Gp3agXB+xGDy0nHw5WFCRN30phrKSAxMe184QgAgT jewLV5X0Rsn3s3kKsJDOuBQoPUPDiRo7mE3vDRDOwlna6KSQoXDl9C+UCIru3NkNqXj2 I8lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=JWPYl+scBvanEZlNPOls+Aq3GI5Pv240j8HlXxWUWlg=; b=OO0+tSw0pL5s5cs+apIMKLmlkV4NUxiR5eDIcoevDejaiMgOw3xHvePaPHtoCi1unU rfFQEan2jP773WY3cSGM5oJwB3kr9YXhNIPJbyN3txRCuyMGYeG4Hjcr/7e31XxXJkLi E8rA6Ey2026oSAd26AkYt6E2AweRhquZUcuwqfntkOWKiLvwvDjI63Aa+eLuYsVOxVj+ BLXBP3Ayu5hAnVXUHYtp8lANDc39iG9mCVP3bIb3ms3pP0nrsGRp8P1Vkx4YAMJwU4zw MrsVouX7FJDcpOiHMard3pRYPyYCPwt9XVKzoaN7vnWHQglCDjeO2yyrGokr305yyQrx zr9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=JsEs76wF; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t24si3878438edw.402.2021.03.19.02.32.29; Fri, 19 Mar 2021 02:33:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=JsEs76wF; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229877AbhCSJb2 (ORCPT + 99 others); Fri, 19 Mar 2021 05:31:28 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:29800 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230026AbhCSJbI (ORCPT ); Fri, 19 Mar 2021 05:31:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1616146268; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=JWPYl+scBvanEZlNPOls+Aq3GI5Pv240j8HlXxWUWlg=; b=JsEs76wFW6RLbGa1ayytu55Bft/y0rIagkYI5K1qEFx2rd8VdLiROlcrFyMdgPXZ7+h6qZ aYjg5DlF19s9MYESIru5d4WUPvCJiB/AVt1P3VolUkYqizc30hHu7x6HoVOeDyv6BpZgcL 1oC6vmgoueaqDEmFgn/Sbdy37uQhVqk= Received: from mail-yb1-f198.google.com (mail-yb1-f198.google.com [209.85.219.198]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-263-la8XvjsnP2Wn98FVrhfokQ-1; Fri, 19 Mar 2021 05:31:06 -0400 X-MC-Unique: la8XvjsnP2Wn98FVrhfokQ-1 Received: by mail-yb1-f198.google.com with SMTP id a63so51629032yba.2 for ; Fri, 19 Mar 2021 02:31:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JWPYl+scBvanEZlNPOls+Aq3GI5Pv240j8HlXxWUWlg=; b=P766sjc8Jpvk94YDZBkeguSmxN08ajMpfCZwUqa54FUoXLv91GVo4DYqoIVFHw8pXS EdqyIuIvKelIeo9KHo+uFTnEue2C/BkscrAUEBdDvgUVJnXzpNx3cHdRNXnTsZG/t7iO nq63XI25VVpcp3oNdtbTEvWY1O90DR8YH20Syt9jO1TVgKHxYCjoR81ATdUgBWLoAEyr SnyC+kuvvMI8ZfZJgJXVpAiZOEczvc13ODf3Vd7ccQtwa1tRZOt4KDTITDj5Tn4jazfY uEAFDlU6tKzkAkL1ssQhcBckVD/DnGU3cFcX/XzXc3SOvEec+J2VlSvGGGPjBpqhveNU 1caA== X-Gm-Message-State: AOAM5332RoqIdmI0mumFlhJJMOyyzgq5CAoVbetAbVHEZd7r2KAFPvWR /DjV2Zrm5oOSz4+5PwFAhXvJ/530eUDS6AR7YxX50bFlgrK2Wuo7MsMeppD+Wj0OKaQh9xyjY3O RmTOASvR43zQJ/g/C61XNoGGMNyxlfnOiw/c3 X-Received: by 2002:a5b:d43:: with SMTP id f3mr5186032ybr.81.1616146265858; Fri, 19 Mar 2021 02:31:05 -0700 (PDT) X-Received: by 2002:a5b:d43:: with SMTP id f3mr5186011ybr.81.1616146265623; Fri, 19 Mar 2021 02:31:05 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ondrej Mosnacek Date: Fri, 19 Mar 2021 10:30:53 +0100 Message-ID: Subject: Re: Weird bug in NFS/SELinux To: Olga Kornievskaia Cc: linux-nfs , SElinux list , Linux Security Module list Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Thu, Mar 18, 2021 at 2:57 PM Ondrej Mosnacek wrote: > On Thu, Mar 18, 2021 at 2:43 PM Olga Kornievskaia wrote: > > On Thu, Mar 18, 2021 at 5:59 AM Ondrej Mosnacek wrote: > > > > > > Hello, > > > > > > While trying to figure out why the NFS tests in the selinux-testsuite > > > [1] are failing, I ran into this strange bug: When I mount an NFS > > > filesystem on some directory, and then immediately attempt to create > > > exactly the same mount on the same directory (fails with -EBUSY as > > > expected per mount(2)), then all the entries inside the mount (but not > > > the root node) show up as unlabeled > > > (system_u:object_r:unlabeled_t:s0). For some reason this doesn't > > > happen if I list the directory contents between the two mounts. > > > > > > It happens at least with kernels 5.12-rc2 and 5.8.6, so it's likely an old bug. > > > > > > Minimal reproducer (assumes an SELinux-enabled system and that nothing > > > is mounted at /etc): > > > ``` > > > # set up a trivial NFS export > > > systemctl start nfs-server > > > exportfs -o rw,no_root_squash,security_label localhost:/ > > > > > > # > > > # reference scenario - single mount > > > # > > > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > > > > > ls -lZ /mnt # labels are correct > > > ls -lZd /mnt # label is correct > > > > > > # > > > # double mount - BUG > > > # > > > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > > > > > ls -lZ /mnt # all labels are system_u:object_r:unlabeled_t:s0 > > > ls -lZd /mnt # label is correct > > > > > > # > > > # double mount with ls in between - OK > > > # > > > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > > ls -lZ /mnt # labels are correct > > > ls -lZd /mnt # label is correct > > > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > > > > > ls -lZ /mnt # labels are correct > > > ls -lZd /mnt # label is correct > > > > Hi Ondrej, a couple of questions about the reproducer. (1) are you > > saying that only "mount, mount, ls" sequence is problematic as you > > write "mount, ls, mount, ls" is correct? (2) what is your selinux > > configuration. I can't reproduce it on my setup. I get the same labels > > regardless of how many times I mount. > > (1) Yes, exactly. > (2) I reproduced it reliably on clean Fedora VM images (e.g. Fedora 33 > or Rawhide, both showed this bug). (Adding also linux-security-module@, since this affects the LSM interface.) After some off-list exchange trying to get the bug to reproduce on Olga's side, we have made some progress, so let me summarize our findings here. First, the issue only appears when you export the root directory, not just some path underneath. I suspect that it could be any directory with a mount on it rather than just the root dir, but I haven't verified that... Second, as Olga found out, the issue stems from the call to security_sb_set_mnt_opts() (from nfs_get_root()) on an already initialized superblock (AFAIK it is needed so that the LSM can check if the security mount options match (and error out the mount if they don't), where NFS processes the SECURITY_LSM_NATIVE_LABELS flag the same way as on the first mount, but SELinux ignores it on the repeated mount. Thus NFS turns off the NFS_CAP_SECURITY_LABEL flag and stops fetching labels from the server, so fresh inodes then show up as unlabeled. So I think there are two options how to fix it: 1) Require filesystems to always pass (0, NULL) as kern_flags when calling it on already initialized superblock - turning the labeling support on/off for an existing superblock wouldn't work with SELinux anyway. 2) When selinux_set_mnt_opts() is called again on a superblock, validate that the passed kern_flags match the expected value (i.e. the FS isn't trying to set an incompatible SECURITY_LSM_NATIVE_LABELS setting) and also return back the same flags as on the first call. It seems doing 1) would make the code in nfs_get_root() a bit ugly (and it might require some changes in VFS, too), so I think I like 2) more... SELinux/LSM folks, any thoughts? -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.