From: Ondrej Mosnacek <omosnace@redhat.com>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Paul Moore <paul@paul-moore.com>,
linux-btrfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
David Howells <dhowells@redhat.com>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
SElinux list <selinux@vger.kernel.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Richard Haines <richard_c_haines@btinternet.com>
Subject: Re: [PATCH v2] vfs: fix fsconfig(2) LSM mount option handling for btrfs
Date: Thu, 18 Mar 2021 10:42:57 +0100 [thread overview]
Message-ID: <CAFqZXNukusUPp+kO7vxPZBt5ehkpH6EUZ5e8XwUq9adOQHdMkQ@mail.gmail.com> (raw)
In-Reply-To: <YFEAD9UClhwxErgj@zeniv-ca.linux.org.uk>
On Tue, Mar 16, 2021 at 8:25 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Tue, Mar 16, 2021 at 02:21:45PM -0400, Paul Moore wrote:
> > On Tue, Mar 16, 2021 at 10:48 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > When SELinux security options are passed to btrfs via fsconfig(2) rather
> > > than via mount(2), the operation aborts with an error. What happens is
> > > roughly this sequence:
> > >
> > > 1. vfs_parse_fs_param() eats away the LSM options and parses them into
> > > fc->security.
> > > 2. legacy_get_tree() finds nothing in ctx->legacy_data, passes this
> > > nothing to btrfs.
> > > [here btrfs calls another layer of vfs_kern_mount(), but let's ignore
> > > that for simplicity]
>
> Let's not. This is where the root of the problem actually lies. Take a look
> at that sucker:
>
> struct fs_context *fc;
> struct vfsmount *mnt;
> int ret = 0;
>
> if (!type)
> return ERR_PTR(-EINVAL);
>
> fc = fs_context_for_mount(type, flags);
> if (IS_ERR(fc))
> return ERR_CAST(fc);
>
> if (name)
> ret = vfs_parse_fs_string(fc, "source",
> name, strlen(name));
> if (!ret)
> ret = parse_monolithic_mount_data(fc, data);
> if (!ret)
> mnt = fc_mount(fc);
> else
> mnt = ERR_PTR(ret);
>
> put_fs_context(fc);
> return mnt;
>
> That's where the problem comes - you've lost the original context's ->security.
> Note that there's such thing as security_fs_context_dup(), so you can bloody
> well either
> * provide a variant of vfs_kern_mount() that would take 'base' fc to
> pick security options from or
> * do all options parsing on btrfs fc and then do fs_context_for_mount +
> security_fs_context_dup + copy (parsed) options to whatever private data you
> use for btrfs_root context + fc_mount + put_fs_context yourself.
>
> My preference would be the latter, but I have *not* looked at btrfs mount options
> handling in any details.
Ack, I'll look into that. I didn't dare to try to touch btrfs mount
handling (if it was straightforward, someone would've already done it,
right? :), but it sounds like converting just this one
vfs_kern_mount() could be relatively easy, would fix the bug, and
would be an incremental improvement.
>
> > VFS folks, can we get a verdict/feedback on this patch? The v1 draft
> > of this patch was posted almost four months ago with no serious
> > comments/feedback. It's a bit ugly, but it does appear to work and at
> > the very least SELinux needs this to handle btrfs properly, other LSMs
> > may need this too.
>
> It's more than a bit ugly; it perpetuates the use of FS_BINARY_MOUNTDATA,
> and the semantics it gets is quite counterintuitive at that.
Fair enough.
Thank you for the feedback and hints!
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
next prev parent reply other threads:[~2021-03-18 9:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 14:48 [PATCH v2] vfs: fix fsconfig(2) LSM mount option handling for btrfs Ondrej Mosnacek
2021-03-16 18:21 ` Paul Moore
2021-03-16 18:59 ` Al Viro
2021-03-18 9:42 ` Ondrej Mosnacek [this message]
2021-03-29 9:00 ` Ondrej Mosnacek
2021-04-01 6:54 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFqZXNukusUPp+kO7vxPZBt5ehkpH6EUZ5e8XwUq9adOQHdMkQ@mail.gmail.com \
--to=omosnace@redhat.com \
--cc=dhowells@redhat.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).