From: Vivek Goyal <vgoyal@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: selinux@vger.kernel.org, linux-unionfs@vger.kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
Miklos Szeredi <miklos@szeredi.hu>,
Daniel J Walsh <dwalsh@redhat.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Amir Goldstein <amir73il@gmail.com>,
Giuseppe Scrivano <gscrivan@redhat.com>
Subject: Re: [PATCH] selinux: Allow context mounts for unpriviliged overlayfs
Date: Thu, 11 Feb 2021 09:01:47 -0500 [thread overview]
Message-ID: <20210211140147.GA5014@redhat.com> (raw)
In-Reply-To: <CAHC9VhQYE3ga53AiK2r-568_=2U0BJe+L4g9U_J0dLinzJqXYA@mail.gmail.com>
On Wed, Feb 10, 2021 at 06:50:57PM -0500, Paul Moore wrote:
> On Tue, Feb 9, 2021 at 3:02 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> >
> > Now overlayfs allow unpriviliged mounts. That is root inside a non-init
> > user namespace can mount overlayfs. This was added in 5.10 kernel.
Actually this is being added in 5.11 kernel (and not 5.10 kernel).
Paul, can you please fix this while committing. If you want me to
report, let me know.
> >
> > Giuseppe tried to mount overlayfs with option "context" and it failed
> > with error -EACCESS.
> >
> > $ su test
> > $ unshare -rm
> > $ mkdir -p lower upper work merged
> > $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged
> >
> > This fails with -EACCESS. It works if option "-o context" is not specified.
> >
> > Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.
> >
> > So this patch adds "overlay" to the list, where it is fine to specific
> > context from non init_user_ns.
> >
> > Reported-by: Giuseppe Scrivano <gscrivan@redhat.com>
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> > ---
> > security/selinux/hooks.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
>
> This seems reasonable, but since we are at -rc7 this week it will need
> to wait until after the upcoming merge window. It's too late in the
> cycle for new features.
I am fine with this going in 5.12 kernel. Thanks Paul.
Vivek
next prev parent reply other threads:[~2021-02-11 14:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-09 20:02 [PATCH] selinux: Allow context mounts for unpriviliged overlayfs Vivek Goyal
2021-02-10 23:50 ` Paul Moore
2021-02-11 14:01 ` Vivek Goyal [this message]
2021-02-11 16:32 ` Paul Moore
2021-02-11 16:56 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210211140147.GA5014@redhat.com \
--to=vgoyal@redhat.com \
--cc=amir73il@gmail.com \
--cc=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=gscrivan@redhat.com \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).