selinux: never allow relabeling on context mounts

In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling files/directories, so we should never set the SBLABEL_MNT flag. The 'special handling' in selinux_is_sblabel_mnt() is only intended for when the behavior is set to SECURITY_FS_USE_GENFS. While there, make the logic in selinux_is_sblabel_mnt() more explicit and add a BUILD_BUG_ON() to make sure that introducing a new SECURITY_FS_USE_* forces a review of the logic. Fixes: d5f3a5f6e7e7 ("selinux: add security in-core xattr support for pstore and debugfs") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Ondrej Mosnacek <omosnace@redhat.com> 2018-12-21 15:18:52 -0500
committer: Paul Moore <paul@paul-moore.com> 2019-01-10 21:23:39 -0500
commit: a83d6ddaebe541570291205cb538e35ad4ff94f9 (patch)
tree: e06b9552bec95ead56f8ba79ac4f27947866850b /security/selinux
parent: e46e01eebbbcf2ff6d28ee7cae9f117e9d1572c8 (diff)
1 files changed, 31 insertions, 9 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f08a0f201967..f8931c5d252a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -534,16 +534,10 @@ static int may_context_mount_inode_relabel(u32 sid,
        return rc;
 }
-static int selinux_is_sblabel_mnt(struct super_block *sb)
+static int selinux_is_genfs_special_handling(struct super_block *sb)
 {
-        struct superblock_security_struct *sbsec = sb->s_security;
+        /* Special handling. Genfs but also in-core setxattr handler */
+        return  !strcmp(sb->s_type->name, "sysfs") ||
-        return sbsec->behavior == SECURITY_FS_USE_XATTR ||
-                sbsec->behavior == SECURITY_FS_USE_TRANS ||
-                sbsec->behavior == SECURITY_FS_USE_TASK ||
-                sbsec->behavior == SECURITY_FS_USE_NATIVE ||
-                /* Special handling. Genfs but also in-core setxattr handler */
-                !strcmp(sb->s_type->name, "sysfs") ||
                !strcmp(sb->s_type->name, "pstore") ||
                !strcmp(sb->s_type->name, "debugfs") ||
                !strcmp(sb->s_type->name, "tracefs") ||
@@ -553,6 +547,34 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
                  !strcmp(sb->s_type->name, "cgroup2")));
 }
+static int selinux_is_sblabel_mnt(struct super_block *sb)
+{
+        struct superblock_security_struct *sbsec = sb->s_security;
+        /*
+         * IMPORTANT: Double-check logic in this function when adding a new
+         * SECURITY_FS_USE_* definition!
+         */
+        BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
+        switch (sbsec->behavior) {
+        case SECURITY_FS_USE_XATTR:
+        case SECURITY_FS_USE_TRANS:
+        case SECURITY_FS_USE_TASK:
+        case SECURITY_FS_USE_NATIVE:
+                return 1;
+        case SECURITY_FS_USE_GENFS:
+                return selinux_is_genfs_special_handling(sb);
+        /* Never allow relabeling on context mounts */
+        case SECURITY_FS_USE_MNTPOINT:
+        case SECURITY_FS_USE_NONE:
+        default:
+                return 0;
+        }
+}
 static int sb_finish_set_opts(struct super_block *sb)
 {
        struct superblock_security_struct *sbsec = sb->s_security;
author	Ondrej Mosnacek <omosnace@redhat.com>	2018-12-21 15:18:52 -0500
committer	Paul Moore <paul@paul-moore.com>	2019-01-10 21:23:39 -0500
commit	a83d6ddaebe541570291205cb538e35ad4ff94f9 (patch)
tree	e06b9552bec95ead56f8ba79ac4f27947866850b /security/selinux
parent	e46e01eebbbcf2ff6d28ee7cae9f117e9d1572c8 (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f08a0f201967..f8931c5d252a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -534,16 +534,10 @@ static int may_context_mount_inode_relabel(u32 sid,
534	return rc;	534	return rc;
535	}	535	}
536		536
537	static int selinux_is_sblabel_mnt(struct super_block *sb)	537	static int selinux_is_genfs_special_handling(struct super_block *sb)
538	{	538	{
539	struct superblock_security_struct *sbsec = sb->s_security;	539	/* Special handling. Genfs but also in-core setxattr handler */
540		540	return !strcmp(sb->s_type->name, "sysfs") \|\|
541	return sbsec->behavior == SECURITY_FS_USE_XATTR \|\|
542	sbsec->behavior == SECURITY_FS_USE_TRANS \|\|
543	sbsec->behavior == SECURITY_FS_USE_TASK \|\|
544	sbsec->behavior == SECURITY_FS_USE_NATIVE \|\|
545	/* Special handling. Genfs but also in-core setxattr handler */
546	!strcmp(sb->s_type->name, "sysfs") \|\|
547	!strcmp(sb->s_type->name, "pstore") \|\|	541	!strcmp(sb->s_type->name, "pstore") \|\|
548	!strcmp(sb->s_type->name, "debugfs") \|\|	542	!strcmp(sb->s_type->name, "debugfs") \|\|
549	!strcmp(sb->s_type->name, "tracefs") \|\|	543	!strcmp(sb->s_type->name, "tracefs") \|\|
@@ -553,6 +547,34 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
553	!strcmp(sb->s_type->name, "cgroup2")));	547	!strcmp(sb->s_type->name, "cgroup2")));
554	}	548	}
555		549
		550	static int selinux_is_sblabel_mnt(struct super_block *sb)
		551	{
		552	struct superblock_security_struct *sbsec = sb->s_security;
		553
		554	/*
		555	* IMPORTANT: Double-check logic in this function when adding a new
		556	* SECURITY_FS_USE_* definition!
		557	*/
		558	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
		559
		560	switch (sbsec->behavior) {
		561	case SECURITY_FS_USE_XATTR:
		562	case SECURITY_FS_USE_TRANS:
		563	case SECURITY_FS_USE_TASK:
		564	case SECURITY_FS_USE_NATIVE:
		565	return 1;
		566
		567	case SECURITY_FS_USE_GENFS:
		568	return selinux_is_genfs_special_handling(sb);
		569
		570	/* Never allow relabeling on context mounts */
		571	case SECURITY_FS_USE_MNTPOINT:
		572	case SECURITY_FS_USE_NONE:
		573	default:
		574	return 0;
		575	}
		576	}
		577
556	static int sb_finish_set_opts(struct super_block *sb)	578	static int sb_finish_set_opts(struct super_block *sb)
557	{	579	{
558	struct superblock_security_struct *sbsec = sb->s_security;	580	struct superblock_security_struct *sbsec = sb->s_security;