Received: by 2002:a05:6358:700f:b0:131:369:b2a3 with SMTP id 15csp1699123rwo; Wed, 2 Aug 2023 20:15:42 -0700 (PDT) X-Google-Smtp-Source: APBJJlGib7iyj89yTlmP/qFYQo0SICjirlCsD7MQx4Qlad7vuFj/k4XF3HIsrME5aVw3QGMI5wwO X-Received: by 2002:a05:6870:170d:b0:1bf:74cc:c815 with SMTP id h13-20020a056870170d00b001bf74ccc815mr1162772oae.19.1691032541677; Wed, 02 Aug 2023 20:15:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691032541; cv=none; d=google.com; s=arc-20160816; b=rYdk8YPTsPZRfg0DF+K5EKEiVsNVU8ak9YLbstbuAEqdvjkKHTxBVOqEkY/OSRe7w8 G+T8yU73VbudQ0MAyCoecI31S0G/+NEgBO5L+WOX68yFhq9G4GwrkEJVJjHTNe0WYte8 dS4Z8DvUYSbaj64EtDock4WQadIiOjtV8uJ0pbGZ66dzD2lraBAu+hX8Vm+SDc1hWhBo WpDz96GEgjb9Ud8shq0tqsHjNGqWOpkCDgUrauzeeKdHt0038ffCp4KzjEyetHZYk9rM coXL6zxuEH5Iw6I/7KJw+deYwcaeypBeARhUOJ3GJb1fUGurqp+WWEnbYW8KKmEgxbYm 60uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=C7rPDjP3w7SFi7WVbOLZnOQv42SK/YK3pgxUtFOJqn8=; fh=oUf4ZgFxQykWlP4cL5M+f07OjgtQ6hAS9ioflnvLglY=; b=SWxgBDG5BLcs42OfCqbvLNcM46dr/jP9mGgk1MqkuI2LRt5fG1Wb17mA9b8GlKzW8X 0fgQxhGRA0UYCDz9RtB2MfcVF2RO5ZcG2P+u9Vob2yt7yFMvaW86OniJ0Tb4EqIjDfqU hpe86piTPnmm9WvlYQLbU4+SLeaVEqXof53bnZXf9BQCr+7TTJa1Hcaa2U8auFPdrCpU T5Fh/DXWVfMyuKI4tspF9i34Xl7Azhi9sDPNGh63diWX8F8UkCN1ebTtKkBRaGVS0z6G Dzfv240BCwPV8f5nOCEqYZBe3j9HOmuryHrbxg8qnXqtRjkbS6IZzcksfJqoiDdOlT8F nuQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=NhqdR98K; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f1-20020a17090a700100b002683fd38fd4si2232784pjk.31.2023.08.02.20.15.20; Wed, 02 Aug 2023 20:15:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=NhqdR98K; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233513AbjHCCqq (ORCPT + 99 others); Wed, 2 Aug 2023 22:46:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33750 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233125AbjHCCqp (ORCPT ); Wed, 2 Aug 2023 22:46:45 -0400 Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56F92B2 for ; Wed, 2 Aug 2023 19:46:42 -0700 (PDT) Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-583f837054eso4002767b3.3 for ; Wed, 02 Aug 2023 19:46:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1691030801; x=1691635601; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=C7rPDjP3w7SFi7WVbOLZnOQv42SK/YK3pgxUtFOJqn8=; b=NhqdR98K7bSRKTQ7CDjVRuusX4/Mn2110sFpO+gM2ndRgcP5OGA/FvizImRpEFEI4Z PzGJ2fbtz7V+aSAsGKRRX4zdMzG2Ac0+NO8G5LU04GpWmY1oYpNibBULXCfo1KfjeD/Y VkGVoJ4W5p9nydWS1OU+rOHdFLg07+H2eJVFgHRBmy669hWJ8MfQyLHxBzHgyNt/2Jk+ CcwoWKuzcB5rmpv9andPMrMoVDPaHBL3zU3r1fFGqN7x74QhHlDsK1NwpW9SEdncDCRd FkoTtcniWlVsCYHVycdjAtMDuJQ9Pfykj7simTA9WCo2OIiEEMeuJSS5RVZpb31IsaiE GjcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691030801; x=1691635601; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=C7rPDjP3w7SFi7WVbOLZnOQv42SK/YK3pgxUtFOJqn8=; b=bvk3N2yFz77viLDy3u5hQ3wb33zZxs4fgFcDTgnoXvaUMT7vbVCOkS5IUJk5BmTRkN jpRcXBPG6ckempWeQDqzBV8rskb3lLwQzioTIAlLMnsywcodPN5HSdOGGAxOnY+9z6b9 IYdF+/1rrqh9inzfWPwWA9XP7X6wfQQsBMCxNfJcuvdXLFoiHPJzu+nKynmbMrpFETuD oXsgi89bQBT72/7tdAJ2m9kK9RMoB1vAwAehztnKvpudzD24y0/O+L1r+4ELpxejVWmr GWdzdXu17uq/GruQyLhdctWa5JPCT3dPVC3pBOnBu2P7Dp8u1RAQ1jAzlry0VH84+rzc N+zQ== X-Gm-Message-State: ABy/qLbu55UesqtMwqUZhoE11E4w8GLm1ouCUAfCIE9ETL8A0zngpfUk mtkfQKa+wU5+H0w47c58zlVYkoY4F7GZx08ba/qd X-Received: by 2002:a81:7b05:0:b0:56c:e1e0:8da1 with SMTP id w5-20020a817b05000000b0056ce1e08da1mr23328025ywc.19.1691030801385; Wed, 02 Aug 2023 19:46:41 -0700 (PDT) MIME-Version: 1.0 References: <20230802-master-v6-1-45d48299168b@kernel.org> In-Reply-To: From: Paul Moore Date: Wed, 2 Aug 2023 22:46:30 -0400 Message-ID: Subject: Re: [PATCH v6] vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing To: Jeff Layton Cc: Alexander Viro , Christian Brauner , Trond Myklebust , Anna Schumaker , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , Casey Schaufler , David Howells , Scott Mayhew , Stephen Smalley , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-nfs@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, Aug 2, 2023 at 3:34=E2=80=AFPM Jeff Layton wro= te: > On Wed, 2023-08-02 at 14:16 -0400, Paul Moore wrote: > > On Aug 2, 2023 Jeff Layton wrote: ... > > I generally dislike core kernel code which makes LSM calls conditional > > on some kernel state maintained outside the LSM. Sometimes it has to > > be done as there is no other good options, but I would like us to try > > and avoid it if possible. The commit description mentioned that this > > was put here to avoid a SELinux complaint, can you provide an example > > of the complain? Does it complain about a double/invalid mount, e.g. > > "SELinux: mount invalid. Same superblock, different security ..."? > > The problem I had was not so much SELinux warnings, but rather that in a > situation where I would expect to share superblocks between two > filesystems, it didn't. > > Basically if you do something like this: > > # mount nfsserver:/export/foo /mnt/foo -o context=3Dsystem_u:object_r:roo= t_t:s0 > # mount nfsserver:/export/bar /mnt/bar -o context=3Dsystem_u:object_r:roo= t_t:s0 > > ...when "foo" and "bar" are directories on the same filesystem on the > server, you should get two vfsmounts that share a superblock. That's > what you get if selinux is disabled, but not when it's enabled (even > when it's in permissive mode). Thanks, that helps. I'm guessing the difference in behavior is due to the old->has_sec_mnt_opts check in nfs_compare_super(). > > I'd like to understand why the sb_set_mnt_opts() call fails when it > > comes after the fs_context_init() call. I'm particulary curious to > > know if the failure is due to conflicting SELinux state in the > > fs_context, or if it is simply an issue of sb_set_mnt_opts() not > > properly handling existing values. Perhaps I'm being overly naive, > > but I'm hopeful that we can address both of these within the SELinux > > code itself. > > The problem I hit was that nfs_compare_super is called with a fs_context > that has a NULL ->security pointer. That caused it to call > selinux_sb_mnt_opts_compat with mnt_opts set to NULL, and at that point > it returns 1 and decides not to share sb's. > > Filling out fc->security with this new operation seems to fix that, but > if you see a better way to do this, then I'm certainly open to the idea. Just as you mention that you are not a LSM expert, I am not a VFS expert, so I think we'll have to help each other a bit ;) I think I'm beginning to understand alloc_fs_context() a bit more, including the fs_context_for_XXX() wrappers. One thing I have realized is that I believe we need to update the selinux_fs_context_init() and smack_fs_context_init() functions to properly handle a NULL @reference dentry; I think returning without error in both cases is the correct answer. In the non-NULL @reference case, I believe your patch is correct, we do want to inherit the options from @reference. My only concern now is the fs_context::lsm_set flag. You didn't mention exactly why the security_sb_set_mnt_opts() was failing, and requires the fs_context::lsm_set check, but my guess is that something is tripping over the fact that the superblock is already properly setup. I'm working under the assumption that this problem - attempting to reconfigure a properly configured superblock - should only be happening in the submount/non-NULL-reference case. If it is happening elsewhere I think I'm going to need some help understanding that ... However, assuming I'm mostly correct in the above paragraph, would it be possible to take a reference to the @reference dentry's superblock in security_fs_context_init(), that we could later compare to the superblock passed into security_sb_set_mnt_opts()? If we know that the fs_context was initialized with the same superblock we are now being asked to set mount options on, we should be able to return from the LSM hook without doing anything. Right? Or am I missing something really silly? :) --=20 paul-moore.com