* [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling @ 2021-04-09 11:12 Ondrej Mosnacek 2021-04-09 11:12 ` [PATCH 1/2] vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag Ondrej Mosnacek ` (3 more replies) 0 siblings, 4 replies; 8+ messages in thread From: Ondrej Mosnacek @ 2021-04-09 11:12 UTC (permalink / raw) To: linux-security-module, selinux Cc: linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia, Al Viro, David Howells, Stephen Smalley This series attempts to clean up part of the mess that has grown around the LSM mount option handling across different subsystems. The original motivation was to fix a NFS+SELinux bug that I found while trying to get the NFS part of the selinux-testsuite [1] to work, which is fixed by patch 2. The first patch paves the way for the second one by eliminating the special case workaround in selinux_set_mnt_opts(), while also simplifying BTRFS's LSM mount option handling. I tested the patches by running the NFS part of the SELinux testsuite (which is now fully passing). I also added the pending patch for broken BTRFS LSM options support with fsconfig(2) [2] and ran the proposed BTRFS SELinux tests for selinux-testsuite [3] (still passing with all patches). [1] https://github.com/SELinuxProject/selinux-testsuite/ [2] https://lore.kernel.org/selinux/20210401065403.GA1363493@infradead.org/T/ [3] https://lore.kernel.org/selinux/20201103110121.53919-2-richard_c_haines@btinternet.com/ ^^ the original patch no longer applies - a rebased version is here: https://github.com/WOnder93/selinux-testsuite/commit/212e76b5bd0775c7507c1996bd172de3bcbff139.patch Ondrej Mosnacek (2): vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount fs/btrfs/super.c | 35 ++++++----------------------------- fs/nfs/fs_context.c | 6 ++++-- fs/super.c | 10 ++++++---- include/linux/fs.h | 3 ++- security/selinux/hooks.c | 32 +++++++++++++++++--------------- 5 files changed, 35 insertions(+), 51 deletions(-) -- 2.30.2 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/2] vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag 2021-04-09 11:12 [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Ondrej Mosnacek @ 2021-04-09 11:12 ` Ondrej Mosnacek 2021-04-09 11:12 ` [PATCH 2/2] selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount Ondrej Mosnacek ` (2 subsequent siblings) 3 siblings, 0 replies; 8+ messages in thread From: Ondrej Mosnacek @ 2021-04-09 11:12 UTC (permalink / raw) To: linux-security-module, selinux Cc: linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia, Al Viro, David Howells, Stephen Smalley Add a new FS_HANDLES_LSM_OPTS filesystem flag to singal to VFS that the filesystem does LSM option setting for the given mount on its own, so the security_sb_set_mnt_opts() call in vfs_get_tree() can be skipped. This allows the following simplifications: 1. Removal of explicit LSM option handling from BTRFS. This exists only because of the double-layer mount that BTRFS is doing for its subvolume support. Setting FS_BINARY_MOUNTDATA (to prevent VFS from eating away the LSM opts) and FS_HANDLES_LSM_OPTS (to prevent an extra security_sb_set_mnt_opts() call) on the outer layer and none of them on the lower layer allows to leave the LSM option handling entirely on VFS as part of the vfs_kern_mount() call. 2. Removal of the ugly FS_BINARY_MOUNTDATA special case from selinux_set_mnt_opts(). Applying (1.) and also setting FS_HANDLES_LSM_OPTS on NFS fs_types (which needs to unavoidably do the LSM options handling on its own due to the SECURITY_LSM_NATIVE_LABELS flag usage) gets us to the state where there exactly one security_sb_set_mnt_opts() or security_sb_clone_mnt_opts() call for each superblock, so the rather hacky FS_BINARY_MOUNTDATA special case can be finally removed from security_sb_set_mnt_opts(). The only other filesystem that sets FS_BINARY_MOUNTDATA is coda, which is also the only one that has binary mount data && doesn't do its own LSM options handling. So for coda we leave FS_HANDLES_LSM_OPTS unset and the behavior remains unchanged - with fsconfig(2) it (probably) won't even mount and with mount(2) it still won't support LSM options (and the security_sb_set_mnt_opts() will be always performed with empty LSM options as before). AFAICT, this shouldn't negatively affect the other LSMs. In fact, I think AppArmor will now gain the ability to do its DFA matching on BTRFS mount options, which was prevented before due to FS_BINARY_MOUNTDATA being set on both its fs_types. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- fs/btrfs/super.c | 35 ++++++----------------------------- fs/nfs/fs_context.c | 6 ++++-- fs/super.c | 10 ++++++---- include/linux/fs.h | 3 ++- security/selinux/hooks.c | 15 --------------- 5 files changed, 18 insertions(+), 51 deletions(-) diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c index f7a4ad86adee..bdce18f8a263 100644 --- a/fs/btrfs/super.c +++ b/fs/btrfs/super.c @@ -1640,19 +1640,12 @@ static struct dentry *btrfs_mount_root(struct file_system_type *fs_type, struct btrfs_device *device = NULL; struct btrfs_fs_devices *fs_devices = NULL; struct btrfs_fs_info *fs_info = NULL; - void *new_sec_opts = NULL; fmode_t mode = FMODE_READ; int error = 0; if (!(flags & SB_RDONLY)) mode |= FMODE_WRITE; - if (data) { - error = security_sb_eat_lsm_opts(data, &new_sec_opts); - if (error) - return ERR_PTR(error); - } - /* * Setup a dummy root and fs_info for test/set super. This is because * we don't actually fill this stuff out until open_ctree, but we need @@ -1662,10 +1655,9 @@ static struct dentry *btrfs_mount_root(struct file_system_type *fs_type, * superblock with our given fs_devices later on at sget() time. */ fs_info = kvzalloc(sizeof(struct btrfs_fs_info), GFP_KERNEL); - if (!fs_info) { - error = -ENOMEM; - goto error_sec_opts; - } + if (!fs_info) + return ERR_PTR(-ENOMEM); + btrfs_init_fs_info(fs_info); fs_info->super_copy = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL); @@ -1722,9 +1714,6 @@ static struct dentry *btrfs_mount_root(struct file_system_type *fs_type, set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); error = btrfs_fill_super(s, fs_devices, data); } - if (!error) - error = security_sb_set_mnt_opts(s, new_sec_opts, 0, NULL); - security_free_mnt_opts(&new_sec_opts); if (error) { deactivate_locked_super(s); return ERR_PTR(error); @@ -1736,8 +1725,6 @@ error_close_devices: btrfs_close_devices(fs_devices); error_fs_info: btrfs_free_fs_info(fs_info); -error_sec_opts: - security_free_mnt_opts(&new_sec_opts); return ERR_PTR(error); } @@ -1899,17 +1886,6 @@ static int btrfs_remount(struct super_block *sb, int *flags, char *data) sync_filesystem(sb); set_bit(BTRFS_FS_STATE_REMOUNTING, &fs_info->fs_state); - if (data) { - void *new_sec_opts = NULL; - - ret = security_sb_eat_lsm_opts(data, &new_sec_opts); - if (!ret) - ret = security_sb_remount(sb, new_sec_opts); - security_free_mnt_opts(&new_sec_opts); - if (ret) - goto restore; - } - ret = btrfs_parse_options(fs_info, data, *flags); if (ret) goto restore; @@ -2359,7 +2335,8 @@ static struct file_system_type btrfs_fs_type = { .name = "btrfs", .mount = btrfs_mount, .kill_sb = btrfs_kill_super, - .fs_flags = FS_REQUIRES_DEV | FS_BINARY_MOUNTDATA, + .fs_flags = FS_REQUIRES_DEV | FS_BINARY_MOUNTDATA | + FS_HANDLES_LSM_OPTS, }; static struct file_system_type btrfs_root_fs_type = { @@ -2367,7 +2344,7 @@ static struct file_system_type btrfs_root_fs_type = { .name = "btrfs", .mount = btrfs_mount_root, .kill_sb = btrfs_kill_super, - .fs_flags = FS_REQUIRES_DEV | FS_BINARY_MOUNTDATA, + .fs_flags = FS_REQUIRES_DEV, }; MODULE_ALIAS_FS("btrfs"); diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c index a06d213d7689..f9c2aaeb5000 100644 --- a/fs/nfs/fs_context.c +++ b/fs/nfs/fs_context.c @@ -1529,7 +1529,8 @@ struct file_system_type nfs_fs_type = { .init_fs_context = nfs_init_fs_context, .parameters = nfs_fs_parameters, .kill_sb = nfs_kill_super, - .fs_flags = FS_RENAME_DOES_D_MOVE|FS_BINARY_MOUNTDATA, + .fs_flags = FS_RENAME_DOES_D_MOVE|FS_BINARY_MOUNTDATA| + FS_HANDLES_LSM_OPTS, }; MODULE_ALIAS_FS("nfs"); EXPORT_SYMBOL_GPL(nfs_fs_type); @@ -1541,7 +1542,8 @@ struct file_system_type nfs4_fs_type = { .init_fs_context = nfs_init_fs_context, .parameters = nfs_fs_parameters, .kill_sb = nfs_kill_super, - .fs_flags = FS_RENAME_DOES_D_MOVE|FS_BINARY_MOUNTDATA, + .fs_flags = FS_RENAME_DOES_D_MOVE|FS_BINARY_MOUNTDATA| + FS_HANDLES_LSM_OPTS, }; MODULE_ALIAS_FS("nfs4"); MODULE_ALIAS("nfs4"); diff --git a/fs/super.c b/fs/super.c index 8c1baca35c16..315e63873947 100644 --- a/fs/super.c +++ b/fs/super.c @@ -1519,10 +1519,12 @@ int vfs_get_tree(struct fs_context *fc) smp_wmb(); sb->s_flags |= SB_BORN; - error = security_sb_set_mnt_opts(sb, fc->security, 0, NULL); - if (unlikely(error)) { - fc_drop_locked(fc); - return error; + if (!(fc->fs_type->fs_flags & FS_HANDLES_LSM_OPTS)) { + error = security_sb_set_mnt_opts(sb, fc->security, 0, NULL); + if (unlikely(error)) { + fc_drop_locked(fc); + return error; + } } /* diff --git a/include/linux/fs.h b/include/linux/fs.h index ec8f3ddf4a6a..306f09d846ca 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2332,7 +2332,8 @@ struct file_system_type { #define FS_HAS_SUBTYPE 4 #define FS_USERNS_MOUNT 8 /* Can be mounted by userns root */ #define FS_DISALLOW_NOTIFY_PERM 16 /* Disable fanotify permission events */ -#define FS_ALLOW_IDMAP 32 /* FS has been updated to handle vfs idmappings. */ +#define FS_ALLOW_IDMAP 32 /* FS has been updated to handle vfs idmappings. */ +#define FS_HANDLES_LSM_OPTS 64 /* FS handles LSM opts on its own - skip it in VFS */ #define FS_THP_SUPPORT 8192 /* Remove once all fs converted */ #define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rename() internally. */ int (*init_fs_context)(struct fs_context *); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 92f909a2e8f7..1daf7bec4bb0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -691,21 +691,6 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } - /* - * Binary mount data FS will come through this function twice. Once - * from an explicit call and once from the generic calls from the vfs. - * Since the generic VFS calls will not contain any security mount data - * we need to skip the double mount verification. - * - * This does open a hole in which we will not notice if the first - * mount using this sb set explict options and a second mount using - * this sb does not set any security options. (The first options - * will be used for both mounts) - */ - if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) - && !opts) - goto out; - root_isec = backing_inode_security_novalidate(root); /* -- 2.30.2 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/2] selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount 2021-04-09 11:12 [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Ondrej Mosnacek 2021-04-09 11:12 ` [PATCH 1/2] vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag Ondrej Mosnacek @ 2021-04-09 11:12 ` Ondrej Mosnacek 2021-04-09 12:27 ` [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Al Viro 2021-04-09 17:00 ` Casey Schaufler 3 siblings, 0 replies; 8+ messages in thread From: Ondrej Mosnacek @ 2021-04-09 11:12 UTC (permalink / raw) To: linux-security-module, selinux Cc: linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia, Al Viro, David Howells, Stephen Smalley When mounting an NFS export that is a mountpoint on the host, doing the same mount a second time leads to a security_sb_set_mnt_opts() call on an already intialized superblock, which leaves the SECURITY_LSM_NATIVE_LABELS flag unset even if it's provided by the FS. NFS then obediently clears NFS_CAP_SECURITY_LABEL from its server capability set, leading to any newly created inodes for this superblock to end up without labels. To fix this, make sure to return the SECURITY_LSM_NATIVE_LABELS flag when security_sb_set_mnt_opts() is called on an already initialized superblock with matching security options. While there, also do a sanity check to ensure that SECURITY_LSM_NATIVE_LABELS is set in kflags if and only if sbsec->behavior == SECURITY_FS_USE_NATIVE. Minimal reproducer: # systemctl start nfs-server # exportfs -o rw,no_root_squash,security_label localhost:/ # mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt # mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt # ls -lZ /mnt [all labels are system_u:object_r:unlabeled_t:s0] Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- security/selinux/hooks.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1daf7bec4bb0..b8efb14a1d1a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -741,7 +741,24 @@ static int selinux_set_mnt_opts(struct super_block *sb, /* previously mounted with options, but not on this attempt? */ if ((sbsec->flags & SE_MNTMASK) && !opts) goto out_double_mount; + + /* + * If we are checking an already initialized mount and the + * options match, make sure to return back the + * SECURITY_LSM_NATIVE_LABELS flag if applicable. If the + * superblock has the NATIVE behavior set and the FS is not + * signaling its support (or vice versa), then it is a + * programmer error, so emit a WARNING and return -EINVAL. + */ rc = 0; + if (sbsec->behavior == SECURITY_FS_USE_NATIVE) { + if (WARN_ON(!(kern_flags & SECURITY_LSM_NATIVE_LABELS))) + rc = -EINVAL; + else + *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; + } else if (WARN_ON(kern_flags & SECURITY_LSM_NATIVE_LABELS)) { + rc = -EINVAL; + } goto out; } -- 2.30.2 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling 2021-04-09 11:12 [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Ondrej Mosnacek 2021-04-09 11:12 ` [PATCH 1/2] vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag Ondrej Mosnacek 2021-04-09 11:12 ` [PATCH 2/2] selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount Ondrej Mosnacek @ 2021-04-09 12:27 ` Al Viro 2021-04-09 17:39 ` Ondrej Mosnacek 2021-04-09 17:00 ` Casey Schaufler 3 siblings, 1 reply; 8+ messages in thread From: Al Viro @ 2021-04-09 12:27 UTC (permalink / raw) To: Ondrej Mosnacek Cc: linux-security-module, selinux, linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia, David Howells, Stephen Smalley On Fri, Apr 09, 2021 at 01:12:52PM +0200, Ondrej Mosnacek wrote: > This series attempts to clean up part of the mess that has grown around > the LSM mount option handling across different subsystems. I would not describe growing another FS_... flag *AND* spreading the FS_BINARY_MOUNTDATA further, with rather weird semantics at that, as a cleanup of any sort. I still very much dislike that approach. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling 2021-04-09 12:27 ` [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Al Viro @ 2021-04-09 17:39 ` Ondrej Mosnacek 2021-05-17 13:46 ` Ondrej Mosnacek 0 siblings, 1 reply; 8+ messages in thread From: Ondrej Mosnacek @ 2021-04-09 17:39 UTC (permalink / raw) To: Al Viro Cc: Linux Security Module list, SElinux list, linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia, David Howells, Stephen Smalley On Fri, Apr 9, 2021 at 2:28 PM Al Viro <viro@zeniv.linux.org.uk> wrote: > On Fri, Apr 09, 2021 at 01:12:52PM +0200, Ondrej Mosnacek wrote: > > This series attempts to clean up part of the mess that has grown around > > the LSM mount option handling across different subsystems. > > I would not describe growing another FS_... flag Why is that necessarily a bad thing? > *AND* spreading the > FS_BINARY_MOUNTDATA further, with rather weird semantics at that, > as a cleanup of any sort. How is this spreading it further? The patches remove one (rather bad) use of it in SELinux and somewhat reduce its use in btrfs. Hold on... actually I just realized that with FS_HANDLES_LSM_OPTS it is possible to do btrfs without FS_BINARY_MOUNTDATA and also eliminate the need for the workaround in vfs_parse_fs_param() (i.e. [2]). Basically instead of setting FS_BINARY_MOUNTDATA | FS_HANDLES_LSM_OPTS in btrfs_fs_type and neither in btrfs_root_fs_type, it is enough to set neither in btrfs_fs_type and only FS_HANDLES_LSM_OPTS in btrfs_root_fs_type. The security opts are then applied in the outer vfs_get_tree() call instead of the inner one, but the net effect is the same. That should pretty much do away with both the non-legit users of FS_BINARY_MOUNTDATA (selinux_set_mnt_opts() and btrfs). All the rest seem to be in line with the semantic. Would [something like] the above stand any chance of getting your approval? [2] https://lore.kernel.org/selinux/20210401065403.GA1363493@infradead.org/T/ -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling 2021-04-09 17:39 ` Ondrej Mosnacek @ 2021-05-17 13:46 ` Ondrej Mosnacek 0 siblings, 0 replies; 8+ messages in thread From: Ondrej Mosnacek @ 2021-05-17 13:46 UTC (permalink / raw) To: Al Viro Cc: Linux Security Module list, SElinux list, Linux FS Devel, linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia, David Howells, Stephen Smalley On Fri, Apr 9, 2021 at 7:39 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > On Fri, Apr 9, 2021 at 2:28 PM Al Viro <viro@zeniv.linux.org.uk> wrote: > > On Fri, Apr 09, 2021 at 01:12:52PM +0200, Ondrej Mosnacek wrote: > > > This series attempts to clean up part of the mess that has grown around > > > the LSM mount option handling across different subsystems. > > > > I would not describe growing another FS_... flag > > Why is that necessarily a bad thing? > > > *AND* spreading the > > FS_BINARY_MOUNTDATA further, with rather weird semantics at that, > > as a cleanup of any sort. > > How is this spreading it further? The patches remove one (rather bad) > use of it in SELinux and somewhat reduce its use in btrfs. > > Hold on... actually I just realized that with FS_HANDLES_LSM_OPTS it > is possible to do btrfs without FS_BINARY_MOUNTDATA and also eliminate > the need for the workaround in vfs_parse_fs_param() (i.e. [2]). > > Basically instead of setting FS_BINARY_MOUNTDATA | FS_HANDLES_LSM_OPTS > in btrfs_fs_type and neither in btrfs_root_fs_type, it is enough to > set neither in btrfs_fs_type and only FS_HANDLES_LSM_OPTS in > btrfs_root_fs_type. The security opts are then applied in the outer > vfs_get_tree() call instead of the inner one, but the net effect is > the same. > > That should pretty much do away with both the non-legit users of > FS_BINARY_MOUNTDATA (selinux_set_mnt_opts() and btrfs). All the rest > seem to be in line with the semantic. > > Would [something like] the above stand any chance of getting your approval? So I posted this variant as v2 now: https://lore.kernel.org/selinux/20210517134201.29271-1-omosnace@redhat.com/T/ > > [2] https://lore.kernel.org/selinux/20210401065403.GA1363493@infradead.org/T/ -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling 2021-04-09 11:12 [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Ondrej Mosnacek ` (2 preceding siblings ...) 2021-04-09 12:27 ` [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Al Viro @ 2021-04-09 17:00 ` Casey Schaufler 2021-04-09 17:43 ` Ondrej Mosnacek 3 siblings, 1 reply; 8+ messages in thread From: Casey Schaufler @ 2021-04-09 17:00 UTC (permalink / raw) To: Ondrej Mosnacek, linux-security-module, selinux Cc: linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia, Al Viro, David Howells, Stephen Smalley, Casey Schaufler On 4/9/2021 4:12 AM, Ondrej Mosnacek wrote: > This series attempts to clean up part of the mess that has grown around > the LSM mount option handling across different subsystems. > > The original motivation was to fix a NFS+SELinux bug that I found while > trying to get the NFS part of the selinux-testsuite [1] to work, which > is fixed by patch 2. > > The first patch paves the way for the second one by eliminating the > special case workaround in selinux_set_mnt_opts(), while also > simplifying BTRFS's LSM mount option handling. > > I tested the patches by running the NFS part of the SELinux testsuite > (which is now fully passing). I also added the pending patch for > broken BTRFS LSM options support with fsconfig(2) [2] and ran the > proposed BTRFS SELinux tests for selinux-testsuite [3] (still passing > with all patches). The Smack testsuite can be found at: https://github.com/smack-team/smack-testsuite.git It might provide another layer of confidence. > > [1] https://github.com/SELinuxProject/selinux-testsuite/ > [2] https://lore.kernel.org/selinux/20210401065403.GA1363493@infradead.org/T/ > [3] https://lore.kernel.org/selinux/20201103110121.53919-2-richard_c_haines@btinternet.com/ > ^^ the original patch no longer applies - a rebased version is here: > https://github.com/WOnder93/selinux-testsuite/commit/212e76b5bd0775c7507c1996bd172de3bcbff139.patch > > Ondrej Mosnacek (2): > vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag > selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount > > fs/btrfs/super.c | 35 ++++++----------------------------- > fs/nfs/fs_context.c | 6 ++++-- > fs/super.c | 10 ++++++---- > include/linux/fs.h | 3 ++- > security/selinux/hooks.c | 32 +++++++++++++++++--------------- > 5 files changed, 35 insertions(+), 51 deletions(-) > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling 2021-04-09 17:00 ` Casey Schaufler @ 2021-04-09 17:43 ` Ondrej Mosnacek 0 siblings, 0 replies; 8+ messages in thread From: Ondrej Mosnacek @ 2021-04-09 17:43 UTC (permalink / raw) To: Casey Schaufler Cc: Linux Security Module list, SElinux list, linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia, Al Viro, David Howells, Stephen Smalley On Fri, Apr 9, 2021 at 7:00 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 4/9/2021 4:12 AM, Ondrej Mosnacek wrote: > > This series attempts to clean up part of the mess that has grown around > > the LSM mount option handling across different subsystems. > > > > The original motivation was to fix a NFS+SELinux bug that I found while > > trying to get the NFS part of the selinux-testsuite [1] to work, which > > is fixed by patch 2. > > > > The first patch paves the way for the second one by eliminating the > > special case workaround in selinux_set_mnt_opts(), while also > > simplifying BTRFS's LSM mount option handling. > > > > I tested the patches by running the NFS part of the SELinux testsuite > > (which is now fully passing). I also added the pending patch for > > broken BTRFS LSM options support with fsconfig(2) [2] and ran the > > proposed BTRFS SELinux tests for selinux-testsuite [3] (still passing > > with all patches). > > The Smack testsuite can be found at: > https://github.com/smack-team/smack-testsuite.git > > It might provide another layer of confidence. Thanks, but that doesn't seem to exercise mounting/remounting btrfs nor nfs with security options. Anything else should be unaffected. > > > > > [1] https://github.com/SELinuxProject/selinux-testsuite/ > > [2] https://lore.kernel.org/selinux/20210401065403.GA1363493@infradead.org/T/ > > [3] https://lore.kernel.org/selinux/20201103110121.53919-2-richard_c_haines@btinternet.com/ > > ^^ the original patch no longer applies - a rebased version is here: > > https://github.com/WOnder93/selinux-testsuite/commit/212e76b5bd0775c7507c1996bd172de3bcbff139.patch > > > > Ondrej Mosnacek (2): > > vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag > > selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount > > > > fs/btrfs/super.c | 35 ++++++----------------------------- > > fs/nfs/fs_context.c | 6 ++++-- > > fs/super.c | 10 ++++++---- > > include/linux/fs.h | 3 ++- > > security/selinux/hooks.c | 32 +++++++++++++++++--------------- > > 5 files changed, 35 insertions(+), 51 deletions(-) > > > -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-05-17 13:46 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-04-09 11:12 [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Ondrej Mosnacek 2021-04-09 11:12 ` [PATCH 1/2] vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag Ondrej Mosnacek 2021-04-09 11:12 ` [PATCH 2/2] selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount Ondrej Mosnacek 2021-04-09 12:27 ` [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Al Viro 2021-04-09 17:39 ` Ondrej Mosnacek 2021-05-17 13:46 ` Ondrej Mosnacek 2021-04-09 17:00 ` Casey Schaufler 2021-04-09 17:43 ` Ondrej Mosnacek
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).