diff options
| author | Ondrej Mosnacek <omosnace@redhat.com> | 2018-12-21 15:18:53 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2019-01-10 21:24:43 -0500 |
| commit | 53e0c2aa9a59a48e3798ef193d573ade85aa80f5 (patch) | |
| tree | 3beac92b3f4c6187cc819c5468958d016d5e8cfb /security/selinux | |
| parent | a83d6ddaebe541570291205cb538e35ad4ff94f9 (diff) | |
selinux: do not override context on context mounts
Ignore all selinux_inode_notifysecctx() calls on mounts with SBLABEL_MNT
flag unset. This is achived by returning -EOPNOTSUPP for this case in
selinux_inode_setsecurtity() (because that function should not be called
in such case anyway) and translating this error to 0 in
selinux_inode_notifysecctx().
This fixes behavior of kernfs-based filesystems when mounted with the
'context=' option. Before this patch, if a node's context had been
explicitly set to a non-default value and later the filesystem has been
remounted with the 'context=' option, then this node would show up as
having the manually-set context and not the mount-specified one.
Steps to reproduce:
# mount -t cgroup2 cgroup2 /sys/fs/cgroup/unified
# chcon unconfined_u:object_r:user_home_t:s0 /sys/fs/cgroup/unified/cgroup.stat
# ls -lZ /sys/fs/cgroup/unified
total 0
-r--r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.controllers
-rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.max.depth
-rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.max.descendants
-rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.procs
-r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
-rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.subtree_control
-rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.threads
# umount /sys/fs/cgroup/unified
# mount -o context=system_u:object_r:tmpfs_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified
Result before:
# ls -lZ /sys/fs/cgroup/unified
total 0
-r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs
-r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads
Result after:
# ls -lZ /sys/fs/cgroup/unified
total 0
-r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs
-r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.stat
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/hooks.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f8931c5d252a..81e012c66d95 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -3264,12 +3264,16 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, | |||
| 3264 | const void *value, size_t size, int flags) | 3264 | const void *value, size_t size, int flags) |
| 3265 | { | 3265 | { |
| 3266 | struct inode_security_struct *isec = inode_security_novalidate(inode); | 3266 | struct inode_security_struct *isec = inode_security_novalidate(inode); |
| 3267 | struct superblock_security_struct *sbsec = inode->i_sb->s_security; | ||
| 3267 | u32 newsid; | 3268 | u32 newsid; |
| 3268 | int rc; | 3269 | int rc; |
| 3269 | 3270 | ||
| 3270 | if (strcmp(name, XATTR_SELINUX_SUFFIX)) | 3271 | if (strcmp(name, XATTR_SELINUX_SUFFIX)) |
| 3271 | return -EOPNOTSUPP; | 3272 | return -EOPNOTSUPP; |
| 3272 | 3273 | ||
| 3274 | if (!(sbsec->flags & SBLABEL_MNT)) | ||
| 3275 | return -EOPNOTSUPP; | ||
| 3276 | |||
| 3273 | if (!value || !size) | 3277 | if (!value || !size) |
| 3274 | return -EACCES; | 3278 | return -EACCES; |
| 3275 | 3279 | ||
| @@ -6415,7 +6419,10 @@ static void selinux_inode_invalidate_secctx(struct inode *inode) | |||
| 6415 | */ | 6419 | */ |
| 6416 | static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) | 6420 | static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) |
| 6417 | { | 6421 | { |
| 6418 | return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); | 6422 | int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, |
| 6423 | ctx, ctxlen, 0); | ||
| 6424 | /* Do not return error when suppressing label (SBLABEL_MNT not set). */ | ||
| 6425 | return rc == -EOPNOTSUPP ? 0 : rc; | ||
| 6419 | } | 6426 | } |
| 6420 | 6427 | ||
| 6421 | /* | 6428 | /* |