Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling
@ 2021-04-09 11:12 Ondrej Mosnacek
  2021-04-09 11:12 ` [PATCH 1/2] vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag Ondrej Mosnacek
                   ` (3 more replies)
  0 siblings, 4 replies; 8+ messages in thread
From: Ondrej Mosnacek @ 2021-04-09 11:12 UTC (permalink / raw)
  To: linux-security-module, selinux
  Cc: linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore,
	Olga Kornievskaia, Al Viro, David Howells, Stephen Smalley

This series attempts to clean up part of the mess that has grown around
the LSM mount option handling across different subsystems.

The original motivation was to fix a NFS+SELinux bug that I found while
trying to get the NFS part of the selinux-testsuite [1] to work, which
is fixed by patch 2.

The first patch paves the way for the second one by eliminating the
special case workaround in selinux_set_mnt_opts(), while also
simplifying BTRFS's LSM mount option handling.

I tested the patches by running the NFS part of the SELinux testsuite
(which is now fully passing). I also added the pending patch for
broken BTRFS LSM options support with fsconfig(2) [2] and ran the
proposed BTRFS SELinux tests for selinux-testsuite [3] (still passing
with all patches).

[1] https://github.com/SELinuxProject/selinux-testsuite/
[2] https://lore.kernel.org/selinux/20210401065403.GA1363493@infradead.org/T/
[3] https://lore.kernel.org/selinux/20201103110121.53919-2-richard_c_haines@btinternet.com/
    ^^ the original patch no longer applies - a rebased version is here:
    https://github.com/WOnder93/selinux-testsuite/commit/212e76b5bd0775c7507c1996bd172de3bcbff139.patch

Ondrej Mosnacek (2):
  vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag
  selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount

 fs/btrfs/super.c         | 35 ++++++-----------------------------
 fs/nfs/fs_context.c      |  6 ++++--
 fs/super.c               | 10 ++++++----
 include/linux/fs.h       |  3 ++-
 security/selinux/hooks.c | 32 +++++++++++++++++---------------
 5 files changed, 35 insertions(+), 51 deletions(-)

-- 
2.30.2


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 1/2] vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag
  2021-04-09 11:12 [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Ondrej Mosnacek
@ 2021-04-09 11:12 ` Ondrej Mosnacek
  2021-04-09 11:12 ` [PATCH 2/2] selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount Ondrej Mosnacek
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 8+ messages in thread
From: Ondrej Mosnacek @ 2021-04-09 11:12 UTC (permalink / raw)
  To: linux-security-module, selinux
  Cc: linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore,
	Olga Kornievskaia, Al Viro, David Howells, Stephen Smalley

Add a new FS_HANDLES_LSM_OPTS filesystem flag to singal to VFS that the
filesystem does LSM option setting for the given mount on its own, so
the security_sb_set_mnt_opts() call in vfs_get_tree() can be skipped.

This allows the following simplifications:
1. Removal of explicit LSM option handling from BTRFS.

   This exists only because of the double-layer mount that BTRFS is
   doing for its subvolume support. Setting FS_BINARY_MOUNTDATA (to
   prevent VFS from eating away the LSM opts) and FS_HANDLES_LSM_OPTS
   (to prevent an extra security_sb_set_mnt_opts() call) on the outer
   layer and none of them on the lower layer allows to leave the LSM
   option handling entirely on VFS as part of the vfs_kern_mount() call.

2. Removal of the ugly FS_BINARY_MOUNTDATA special case from
   selinux_set_mnt_opts().

   Applying (1.) and also setting FS_HANDLES_LSM_OPTS on NFS fs_types
   (which needs to unavoidably do the LSM options handling on its own
   due to the SECURITY_LSM_NATIVE_LABELS flag usage) gets us to the
   state where there exactly one security_sb_set_mnt_opts() or
   security_sb_clone_mnt_opts() call for each superblock, so the rather
   hacky FS_BINARY_MOUNTDATA special case can be finally removed from
   security_sb_set_mnt_opts().

The only other filesystem that sets FS_BINARY_MOUNTDATA is coda, which
is also the only one that has binary mount data && doesn't do its own
LSM options handling. So for coda we leave FS_HANDLES_LSM_OPTS unset and
the behavior remains unchanged - with fsconfig(2) it (probably) won't
even mount and with mount(2) it still won't support LSM options (and the
security_sb_set_mnt_opts() will be always performed with empty LSM
options as before).

AFAICT, this shouldn't negatively affect the other LSMs. In fact, I
think AppArmor will now gain the ability to do its DFA matching on BTRFS
mount options, which was prevented before due to FS_BINARY_MOUNTDATA
being set on both its fs_types.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 fs/btrfs/super.c         | 35 ++++++-----------------------------
 fs/nfs/fs_context.c      |  6 ++++--
 fs/super.c               | 10 ++++++----
 include/linux/fs.h       |  3 ++-
 security/selinux/hooks.c | 15 ---------------
 5 files changed, 18 insertions(+), 51 deletions(-)

diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index f7a4ad86adee..bdce18f8a263 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1640,19 +1640,12 @@ static struct dentry *btrfs_mount_root(struct file_system_type *fs_type,
 	struct btrfs_device *device = NULL;
 	struct btrfs_fs_devices *fs_devices = NULL;
 	struct btrfs_fs_info *fs_info = NULL;
-	void *new_sec_opts = NULL;
 	fmode_t mode = FMODE_READ;
 	int error = 0;
 
 	if (!(flags & SB_RDONLY))
 		mode |= FMODE_WRITE;
 
-	if (data) {
-		error = security_sb_eat_lsm_opts(data, &new_sec_opts);
-		if (error)
-			return ERR_PTR(error);
-	}
-
 	/*
 	 * Setup a dummy root and fs_info for test/set super.  This is because
 	 * we don't actually fill this stuff out until open_ctree, but we need
@@ -1662,10 +1655,9 @@ static struct dentry *btrfs_mount_root(struct file_system_type *fs_type,
 	 * superblock with our given fs_devices later on at sget() time.
 	 */
 	fs_info = kvzalloc(sizeof(struct btrfs_fs_info), GFP_KERNEL);
-	if (!fs_info) {
-		error = -ENOMEM;
-		goto error_sec_opts;
-	}
+	if (!fs_info)
+		return ERR_PTR(-ENOMEM);
+
 	btrfs_init_fs_info(fs_info);
 
 	fs_info->super_copy = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL);
@@ -1722,9 +1714,6 @@ static struct dentry *btrfs_mount_root(struct file_system_type *fs_type,
 			set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags);
 		error = btrfs_fill_super(s, fs_devices, data);
 	}
-	if (!error)
-		error = security_sb_set_mnt_opts(s, new_sec_opts, 0, NULL);
-	security_free_mnt_opts(&new_sec_opts);
 	if (error) {
 		deactivate_locked_super(s);
 		return ERR_PTR(error);
@@ -1736,8 +1725,6 @@ error_close_devices:
 	btrfs_close_devices(fs_devices);
 error_fs_info:
 	btrfs_free_fs_info(fs_info);
-error_sec_opts:
-	security_free_mnt_opts(&new_sec_opts);
 	return ERR_PTR(error);
 }
 
@@ -1899,17 +1886,6 @@ static int btrfs_remount(struct super_block *sb, int *flags, char *data)
 	sync_filesystem(sb);
 	set_bit(BTRFS_FS_STATE_REMOUNTING, &fs_info->fs_state);
 
-	if (data) {
-		void *new_sec_opts = NULL;
-
-		ret = security_sb_eat_lsm_opts(data, &new_sec_opts);
-		if (!ret)
-			ret = security_sb_remount(sb, new_sec_opts);
-		security_free_mnt_opts(&new_sec_opts);
-		if (ret)
-			goto restore;
-	}
-
 	ret = btrfs_parse_options(fs_info, data, *flags);
 	if (ret)
 		goto restore;
@@ -2359,7 +2335,8 @@ static struct file_system_type btrfs_fs_type = {
 	.name		= "btrfs",
 	.mount		= btrfs_mount,
 	.kill_sb	= btrfs_kill_super,
-	.fs_flags	= FS_REQUIRES_DEV | FS_BINARY_MOUNTDATA,
+	.fs_flags	= FS_REQUIRES_DEV | FS_BINARY_MOUNTDATA |
+			  FS_HANDLES_LSM_OPTS,
 };
 
 static struct file_system_type btrfs_root_fs_type = {
@@ -2367,7 +2344,7 @@ static struct file_system_type btrfs_root_fs_type = {
 	.name		= "btrfs",
 	.mount		= btrfs_mount_root,
 	.kill_sb	= btrfs_kill_super,
-	.fs_flags	= FS_REQUIRES_DEV | FS_BINARY_MOUNTDATA,
+	.fs_flags	= FS_REQUIRES_DEV,
 };
 
 MODULE_ALIAS_FS("btrfs");
diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c
index a06d213d7689..f9c2aaeb5000 100644
--- a/fs/nfs/fs_context.c
+++ b/fs/nfs/fs_context.c
@@ -1529,7 +1529,8 @@ struct file_system_type nfs_fs_type = {
 	.init_fs_context	= nfs_init_fs_context,
 	.parameters		= nfs_fs_parameters,
 	.kill_sb		= nfs_kill_super,
-	.fs_flags		= FS_RENAME_DOES_D_MOVE|FS_BINARY_MOUNTDATA,
+	.fs_flags		= FS_RENAME_DOES_D_MOVE|FS_BINARY_MOUNTDATA|
+				  FS_HANDLES_LSM_OPTS,
 };
 MODULE_ALIAS_FS("nfs");
 EXPORT_SYMBOL_GPL(nfs_fs_type);
@@ -1541,7 +1542,8 @@ struct file_system_type nfs4_fs_type = {
 	.init_fs_context	= nfs_init_fs_context,
 	.parameters		= nfs_fs_parameters,
 	.kill_sb		= nfs_kill_super,
-	.fs_flags		= FS_RENAME_DOES_D_MOVE|FS_BINARY_MOUNTDATA,
+	.fs_flags		= FS_RENAME_DOES_D_MOVE|FS_BINARY_MOUNTDATA|
+				  FS_HANDLES_LSM_OPTS,
 };
 MODULE_ALIAS_FS("nfs4");
 MODULE_ALIAS("nfs4");
diff --git a/fs/super.c b/fs/super.c
index 8c1baca35c16..315e63873947 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1519,10 +1519,12 @@ int vfs_get_tree(struct fs_context *fc)
 	smp_wmb();
 	sb->s_flags |= SB_BORN;
 
-	error = security_sb_set_mnt_opts(sb, fc->security, 0, NULL);
-	if (unlikely(error)) {
-		fc_drop_locked(fc);
-		return error;
+	if (!(fc->fs_type->fs_flags & FS_HANDLES_LSM_OPTS)) {
+		error = security_sb_set_mnt_opts(sb, fc->security, 0, NULL);
+		if (unlikely(error)) {
+			fc_drop_locked(fc);
+			return error;
+		}
 	}
 
 	/*
diff --git a/include/linux/fs.h b/include/linux/fs.h
index ec8f3ddf4a6a..306f09d846ca 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2332,7 +2332,8 @@ struct file_system_type {
 #define FS_HAS_SUBTYPE		4
 #define FS_USERNS_MOUNT		8	/* Can be mounted by userns root */
 #define FS_DISALLOW_NOTIFY_PERM	16	/* Disable fanotify permission events */
-#define FS_ALLOW_IDMAP         32      /* FS has been updated to handle vfs idmappings. */
+#define FS_ALLOW_IDMAP		32	/* FS has been updated to handle vfs idmappings. */
+#define FS_HANDLES_LSM_OPTS	64	/* FS handles LSM opts on its own - skip it in VFS */
 #define FS_THP_SUPPORT		8192	/* Remove once all fs converted */
 #define FS_RENAME_DOES_D_MOVE	32768	/* FS will handle d_move() during rename() internally. */
 	int (*init_fs_context)(struct fs_context *);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 92f909a2e8f7..1daf7bec4bb0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -691,21 +691,6 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 		goto out;
 	}
 
-	/*
-	 * Binary mount data FS will come through this function twice.  Once
-	 * from an explicit call and once from the generic calls from the vfs.
-	 * Since the generic VFS calls will not contain any security mount data
-	 * we need to skip the double mount verification.
-	 *
-	 * This does open a hole in which we will not notice if the first
-	 * mount using this sb set explict options and a second mount using
-	 * this sb does not set any security options.  (The first options
-	 * will be used for both mounts)
-	 */
-	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
-	    && !opts)
-		goto out;
-
 	root_isec = backing_inode_security_novalidate(root);
 
 	/*
-- 
2.30.2


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 2/2] selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount
  2021-04-09 11:12 [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Ondrej Mosnacek
  2021-04-09 11:12 ` [PATCH 1/2] vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag Ondrej Mosnacek
@ 2021-04-09 11:12 ` Ondrej Mosnacek
  2021-04-09 12:27 ` [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Al Viro
  2021-04-09 17:00 ` Casey Schaufler
  3 siblings, 0 replies; 8+ messages in thread
From: Ondrej Mosnacek @ 2021-04-09 11:12 UTC (permalink / raw)
  To: linux-security-module, selinux
  Cc: linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore,
	Olga Kornievskaia, Al Viro, David Howells, Stephen Smalley

When mounting an NFS export that is a mountpoint on the host, doing the
same mount a second time leads to a security_sb_set_mnt_opts() call on
an already intialized superblock, which leaves the
SECURITY_LSM_NATIVE_LABELS flag unset even if it's provided by the FS.
NFS then obediently clears NFS_CAP_SECURITY_LABEL from its server
capability set, leading to any newly created inodes for this superblock
to end up without labels.

To fix this, make sure to return the SECURITY_LSM_NATIVE_LABELS flag
when security_sb_set_mnt_opts() is called on an already initialized
superblock with matching security options.

While there, also do a sanity check to ensure that
SECURITY_LSM_NATIVE_LABELS is set in kflags if and only if
sbsec->behavior == SECURITY_FS_USE_NATIVE.

Minimal reproducer:
    # systemctl start nfs-server
    # exportfs -o rw,no_root_squash,security_label localhost:/
    # mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt
    # mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt
    # ls -lZ /mnt
    [all labels are system_u:object_r:unlabeled_t:s0]

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 security/selinux/hooks.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1daf7bec4bb0..b8efb14a1d1a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -741,7 +741,24 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 		/* previously mounted with options, but not on this attempt? */
 		if ((sbsec->flags & SE_MNTMASK) && !opts)
 			goto out_double_mount;
+
+		/*
+		 * If we are checking an already initialized mount and the
+		 * options match, make sure to return back the
+		 * SECURITY_LSM_NATIVE_LABELS flag if applicable. If the
+		 * superblock has the NATIVE behavior set and the FS is not
+		 * signaling its support (or vice versa), then it is a
+		 * programmer error, so emit a WARNING and return -EINVAL.
+		 */
 		rc = 0;
+		if (sbsec->behavior == SECURITY_FS_USE_NATIVE) {
+			if (WARN_ON(!(kern_flags & SECURITY_LSM_NATIVE_LABELS)))
+				rc = -EINVAL;
+			else
+				*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
+		} else if (WARN_ON(kern_flags & SECURITY_LSM_NATIVE_LABELS)) {
+			rc = -EINVAL;
+		}
 		goto out;
 	}
 
-- 
2.30.2


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling
  2021-04-09 11:12 [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Ondrej Mosnacek
  2021-04-09 11:12 ` [PATCH 1/2] vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag Ondrej Mosnacek
  2021-04-09 11:12 ` [PATCH 2/2] selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount Ondrej Mosnacek
@ 2021-04-09 12:27 ` Al Viro
  2021-04-09 17:39   ` Ondrej Mosnacek
  2021-04-09 17:00 ` Casey Schaufler
  3 siblings, 1 reply; 8+ messages in thread
From: Al Viro @ 2021-04-09 12:27 UTC (permalink / raw)
  To: Ondrej Mosnacek
  Cc: linux-security-module, selinux, linux-fsdevel, linux-nfs,
	linux-btrfs, Paul Moore, Olga Kornievskaia, David Howells,
	Stephen Smalley

On Fri, Apr 09, 2021 at 01:12:52PM +0200, Ondrej Mosnacek wrote:
> This series attempts to clean up part of the mess that has grown around
> the LSM mount option handling across different subsystems.

I would not describe growing another FS_... flag *AND* spreading the
FS_BINARY_MOUNTDATA further, with rather weird semantics at that,
as a cleanup of any sort.

I still very much dislike that approach.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling
  2021-04-09 11:12 [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Ondrej Mosnacek
                   ` (2 preceding siblings ...)
  2021-04-09 12:27 ` [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Al Viro
@ 2021-04-09 17:00 ` Casey Schaufler
  2021-04-09 17:43   ` Ondrej Mosnacek
  3 siblings, 1 reply; 8+ messages in thread
From: Casey Schaufler @ 2021-04-09 17:00 UTC (permalink / raw)
  To: Ondrej Mosnacek, linux-security-module, selinux
  Cc: linux-fsdevel, linux-nfs, linux-btrfs, Paul Moore,
	Olga Kornievskaia, Al Viro, David Howells, Stephen Smalley,
	Casey Schaufler

On 4/9/2021 4:12 AM, Ondrej Mosnacek wrote:
> This series attempts to clean up part of the mess that has grown around
> the LSM mount option handling across different subsystems.
>
> The original motivation was to fix a NFS+SELinux bug that I found while
> trying to get the NFS part of the selinux-testsuite [1] to work, which
> is fixed by patch 2.
>
> The first patch paves the way for the second one by eliminating the
> special case workaround in selinux_set_mnt_opts(), while also
> simplifying BTRFS's LSM mount option handling.
>
> I tested the patches by running the NFS part of the SELinux testsuite
> (which is now fully passing). I also added the pending patch for
> broken BTRFS LSM options support with fsconfig(2) [2] and ran the
> proposed BTRFS SELinux tests for selinux-testsuite [3] (still passing
> with all patches).

The Smack testsuite can be found at:
	https://github.com/smack-team/smack-testsuite.git

It might provide another layer of confidence.

>
> [1] https://github.com/SELinuxProject/selinux-testsuite/
> [2] https://lore.kernel.org/selinux/20210401065403.GA1363493@infradead.org/T/
> [3] https://lore.kernel.org/selinux/20201103110121.53919-2-richard_c_haines@btinternet.com/
>     ^^ the original patch no longer applies - a rebased version is here:
>     https://github.com/WOnder93/selinux-testsuite/commit/212e76b5bd0775c7507c1996bd172de3bcbff139.patch
>
> Ondrej Mosnacek (2):
>   vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag
>   selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount
>
>  fs/btrfs/super.c         | 35 ++++++-----------------------------
>  fs/nfs/fs_context.c      |  6 ++++--
>  fs/super.c               | 10 ++++++----
>  include/linux/fs.h       |  3 ++-
>  security/selinux/hooks.c | 32 +++++++++++++++++---------------
>  5 files changed, 35 insertions(+), 51 deletions(-)
>


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling
  2021-04-09 12:27 ` [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Al Viro
@ 2021-04-09 17:39   ` Ondrej Mosnacek
  2021-05-17 13:46     ` Ondrej Mosnacek
  0 siblings, 1 reply; 8+ messages in thread
From: Ondrej Mosnacek @ 2021-04-09 17:39 UTC (permalink / raw)
  To: Al Viro
  Cc: Linux Security Module list, SElinux list, linux-fsdevel,
	linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia,
	David Howells, Stephen Smalley

On Fri, Apr 9, 2021 at 2:28 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Fri, Apr 09, 2021 at 01:12:52PM +0200, Ondrej Mosnacek wrote:
> > This series attempts to clean up part of the mess that has grown around
> > the LSM mount option handling across different subsystems.
>
> I would not describe growing another FS_... flag

Why is that necessarily a bad thing?

> *AND* spreading the
> FS_BINARY_MOUNTDATA further, with rather weird semantics at that,
> as a cleanup of any sort.

How is this spreading it further? The patches remove one (rather bad)
use of it in SELinux and somewhat reduce its use in btrfs.

Hold on... actually I just realized that with FS_HANDLES_LSM_OPTS it
is possible to do btrfs without FS_BINARY_MOUNTDATA and also eliminate
the need for the workaround in vfs_parse_fs_param() (i.e. [2]).

Basically instead of setting FS_BINARY_MOUNTDATA | FS_HANDLES_LSM_OPTS
in btrfs_fs_type and neither in btrfs_root_fs_type, it is enough to
set neither in btrfs_fs_type and only FS_HANDLES_LSM_OPTS in
btrfs_root_fs_type. The security opts are then applied in the outer
vfs_get_tree() call instead of the inner one, but the net effect is
the same.

That should pretty much do away with both the non-legit users of
FS_BINARY_MOUNTDATA (selinux_set_mnt_opts() and btrfs). All the rest
seem to be in line with the semantic.

Would [something like] the above stand any chance of getting your approval?

[2] https://lore.kernel.org/selinux/20210401065403.GA1363493@infradead.org/T/

--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling
  2021-04-09 17:00 ` Casey Schaufler
@ 2021-04-09 17:43   ` Ondrej Mosnacek
  0 siblings, 0 replies; 8+ messages in thread
From: Ondrej Mosnacek @ 2021-04-09 17:43 UTC (permalink / raw)
  To: Casey Schaufler
  Cc: Linux Security Module list, SElinux list, linux-fsdevel,
	linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia, Al Viro,
	David Howells, Stephen Smalley

On Fri, Apr 9, 2021 at 7:00 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 4/9/2021 4:12 AM, Ondrej Mosnacek wrote:
> > This series attempts to clean up part of the mess that has grown around
> > the LSM mount option handling across different subsystems.
> >
> > The original motivation was to fix a NFS+SELinux bug that I found while
> > trying to get the NFS part of the selinux-testsuite [1] to work, which
> > is fixed by patch 2.
> >
> > The first patch paves the way for the second one by eliminating the
> > special case workaround in selinux_set_mnt_opts(), while also
> > simplifying BTRFS's LSM mount option handling.
> >
> > I tested the patches by running the NFS part of the SELinux testsuite
> > (which is now fully passing). I also added the pending patch for
> > broken BTRFS LSM options support with fsconfig(2) [2] and ran the
> > proposed BTRFS SELinux tests for selinux-testsuite [3] (still passing
> > with all patches).
>
> The Smack testsuite can be found at:
>         https://github.com/smack-team/smack-testsuite.git
>
> It might provide another layer of confidence.

Thanks, but that doesn't seem to exercise mounting/remounting btrfs
nor nfs with security options. Anything else should be unaffected.

>
> >
> > [1] https://github.com/SELinuxProject/selinux-testsuite/
> > [2] https://lore.kernel.org/selinux/20210401065403.GA1363493@infradead.org/T/
> > [3] https://lore.kernel.org/selinux/20201103110121.53919-2-richard_c_haines@btinternet.com/
> >     ^^ the original patch no longer applies - a rebased version is here:
> >     https://github.com/WOnder93/selinux-testsuite/commit/212e76b5bd0775c7507c1996bd172de3bcbff139.patch
> >
> > Ondrej Mosnacek (2):
> >   vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag
> >   selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount
> >
> >  fs/btrfs/super.c         | 35 ++++++-----------------------------
> >  fs/nfs/fs_context.c      |  6 ++++--
> >  fs/super.c               | 10 ++++++----
> >  include/linux/fs.h       |  3 ++-
> >  security/selinux/hooks.c | 32 +++++++++++++++++---------------
> >  5 files changed, 35 insertions(+), 51 deletions(-)
> >
>


-- 
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling
  2021-04-09 17:39   ` Ondrej Mosnacek
@ 2021-05-17 13:46     ` Ondrej Mosnacek
  0 siblings, 0 replies; 8+ messages in thread
From: Ondrej Mosnacek @ 2021-05-17 13:46 UTC (permalink / raw)
  To: Al Viro
  Cc: Linux Security Module list, SElinux list, Linux FS Devel,
	linux-nfs, linux-btrfs, Paul Moore, Olga Kornievskaia,
	David Howells, Stephen Smalley

On Fri, Apr 9, 2021 at 7:39 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Fri, Apr 9, 2021 at 2:28 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
> > On Fri, Apr 09, 2021 at 01:12:52PM +0200, Ondrej Mosnacek wrote:
> > > This series attempts to clean up part of the mess that has grown around
> > > the LSM mount option handling across different subsystems.
> >
> > I would not describe growing another FS_... flag
>
> Why is that necessarily a bad thing?
>
> > *AND* spreading the
> > FS_BINARY_MOUNTDATA further, with rather weird semantics at that,
> > as a cleanup of any sort.
>
> How is this spreading it further? The patches remove one (rather bad)
> use of it in SELinux and somewhat reduce its use in btrfs.
>
> Hold on... actually I just realized that with FS_HANDLES_LSM_OPTS it
> is possible to do btrfs without FS_BINARY_MOUNTDATA and also eliminate
> the need for the workaround in vfs_parse_fs_param() (i.e. [2]).
>
> Basically instead of setting FS_BINARY_MOUNTDATA | FS_HANDLES_LSM_OPTS
> in btrfs_fs_type and neither in btrfs_root_fs_type, it is enough to
> set neither in btrfs_fs_type and only FS_HANDLES_LSM_OPTS in
> btrfs_root_fs_type. The security opts are then applied in the outer
> vfs_get_tree() call instead of the inner one, but the net effect is
> the same.
>
> That should pretty much do away with both the non-legit users of
> FS_BINARY_MOUNTDATA (selinux_set_mnt_opts() and btrfs). All the rest
> seem to be in line with the semantic.
>
> Would [something like] the above stand any chance of getting your approval?

So I posted this variant as v2 now:
https://lore.kernel.org/selinux/20210517134201.29271-1-omosnace@redhat.com/T/

>
> [2] https://lore.kernel.org/selinux/20210401065403.GA1363493@infradead.org/T/

-- 
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-09 11:12 [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Ondrej Mosnacek
2021-04-09 11:12 ` [PATCH 1/2] vfs,LSM: introduce the FS_HANDLES_LSM_OPTS flag Ondrej Mosnacek
2021-04-09 11:12 ` [PATCH 2/2] selinux: fix SECURITY_LSM_NATIVE_LABELS flag handling on double mount Ondrej Mosnacek
2021-04-09 12:27 ` [PATCH 0/2] vfs/security/NFS/btrfs: clean up and fix LSM option handling Al Viro
2021-04-09 17:39   ` Ondrej Mosnacek
2021-05-17 13:46     ` Ondrej Mosnacek
2021-04-09 17:00 ` Casey Schaufler
2021-04-09 17:43   ` Ondrej Mosnacek

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git