[RFC PATCH 2/3] selinux: never allow relabeling on context mounts

From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
	cgroups@vger.kernel.org, Tejun Heo <tj@kernel.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
	Li Zefan <lizefan@huawei.com>,
	Johannes Weiner <hannes@cmpxchg.org>,
	Ondrej Mosnacek <omosnace@redhat.com>
Subject: [RFC PATCH 2/3] selinux: never allow relabeling on context mounts
Date: Thu, 13 Dec 2018 15:17:38 +0100	[thread overview]
Message-ID: <20181213141739.8534-3-omosnace@redhat.com> (raw)
In-Reply-To: <20181213141739.8534-1-omosnace@redhat.com>

In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling
files/directories, so we should never set the SBLABEL_MNT flag in this
case. The 'special handling' in selinux_is_sblabel_mnt() is only
intended for SECURITY_FS_USE_GENFS.

While there, make the logic in selinux_is_sblabel_mnt() more explicit
and add a BUILD_BUG_ON() to make sure that introducing a new
SECURITY_FS_USE_* forces a review of the logic.

Note that checkpatch.pl produces some false positives here, likely
having problems recognizing the monstrous return statement...

Fixes: d5f3a5f6e7e7 ("selinux: add security in-core xattr support for pstore and debugfs")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 security/selinux/hooks.c | 41 ++++++++++++++++++++++++++++------------
 1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7ce012d9ec51..d6d29ec54eab 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -501,19 +501,36 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
 {
 	struct superblock_security_struct *sbsec = sb->s_security;
 
-	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
-		sbsec->behavior == SECURITY_FS_USE_TRANS ||
-		sbsec->behavior == SECURITY_FS_USE_TASK ||
-		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
+	/*
+	 * IMPORTANT: Double-check logic in this function when adding a new
+	 * SECURITY_FS_USE_* definition!
+	 */
+	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
+
+	switch (sbsec->behavior) {
+	case SECURITY_FS_USE_XATTR:
+	case SECURITY_FS_USE_TRANS:
+	case SECURITY_FS_USE_TASK:
+	case SECURITY_FS_USE_NATIVE:
+		return 1;
+
+	case SECURITY_FS_USE_GENFS:
 		/* Special handling. Genfs but also in-core setxattr handler */
-		!strcmp(sb->s_type->name, "sysfs") ||
-		!strcmp(sb->s_type->name, "pstore") ||
-		!strcmp(sb->s_type->name, "debugfs") ||
-		!strcmp(sb->s_type->name, "tracefs") ||
-		!strcmp(sb->s_type->name, "rootfs") ||
-		(selinux_policycap_cgroupseclabel() &&
-		 (!strcmp(sb->s_type->name, "cgroup") ||
-		  !strcmp(sb->s_type->name, "cgroup2")));
+		return	!strcmp(sb->s_type->name, "sysfs") ||
+			!strcmp(sb->s_type->name, "pstore") ||
+			!strcmp(sb->s_type->name, "debugfs") ||
+			!strcmp(sb->s_type->name, "tracefs") ||
+			!strcmp(sb->s_type->name, "rootfs") ||
+			(selinux_policycap_cgroupseclabel() &&
+			 (!strcmp(sb->s_type->name, "cgroup") ||
+			  !strcmp(sb->s_type->name, "cgroup2")));
+
+	/* Never allow relabeling on context mounts */
+	case SECURITY_FS_USE_MNTPOINT:
+	case SECURITY_FS_USE_NONE:
+	default:
+		return 0;
+	}
 }
 
 static int sb_finish_set_opts(struct super_block *sb)
-- 
2.19.2

