From: Ondrej Mosnacek <omosnace@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
cgroups@vger.kernel.org, Tejun Heo <tj@kernel.org>,
Li Zefan <lizefan@huawei.com>,
Johannes Weiner <hannes@cmpxchg.org>
Subject: Re: [RFC PATCH 3/3] selinux: do not override context on context mounts
Date: Tue, 18 Dec 2018 16:50:33 +0100 [thread overview]
Message-ID: <CAFqZXNvVw0tfxYAphm-Yibhy5JoeP2SzvUb_QDRPnNtJRTCGcA@mail.gmail.com> (raw)
In-Reply-To: <a779b0e5-79d5-8a10-8372-488de5f8345f@tycho.nsa.gov>
On Thu, Dec 13, 2018 at 5:25 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 12/13/18 9:17 AM, Ondrej Mosnacek wrote:
> > Ignore all selinux_inode_notifysecctx() calls on mounts with the
> > SECURITY_FS_USE_MNTPOINT behavior.
> >
> > This fixes behavior of kernfs-based filesystems when mounted with the
> > 'context=' option. Before this patch, if a node's context had been
> > explicitly set to a non-default value and later the filesystem has been
> > remounted with the 'context=' option, then this node would show up as
> > having a different context.
> >
> > Steps to reproduce:
> > # mount -t cgroup2 cgroup2 /sys/fs/cgroup/unified
> > # chcon unconfined_u:object_r:user_home_t:s0 /sys/fs/cgroup/unified/cgroup.stat
> > # ls -lZ /sys/fs/cgroup/unified
> > total 0
> > -r--r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.controllers
> > -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.max.depth
> > -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.max.descendants
> > -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.procs
> > -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
> > -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.subtree_control
> > -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.threads
> > # umount /sys/fs/cgroup/unified
> > # mount -o context=system_u:object_r:tmpfs_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified
> >
> > Result before:
> > # ls -lZ /sys/fs/cgroup/unified
> > total 0
> > -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers
> > -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth
> > -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants
> > -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs
> > -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
> > -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control
> > -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads
> >
> > Result after:
> > # ls -lZ /sys/fs/cgroup/unified
> > total 0
> > -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers
> > -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth
> > -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants
> > -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs
> > -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.stat
> > -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control
> > -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> > security/selinux/hooks.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index d6d29ec54eab..0ca5ed30afe1 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -6620,6 +6620,13 @@ static void selinux_inode_invalidate_secctx(struct inode *inode)
> > */
> > static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
> > {
> > + struct superblock_security_struct *sbsec = inode->i_sb->s_security;
> > +
> > + /* Do not change context in SECURITY_FS_USE_MNTPOINT case */
> > + if ((sbsec->flags & SE_SBINITIALIZED) &&
> > + (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
> > + return 0;
> > +
> > return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
> > }
>
> Wondering if we ought to take this into selinux_inode_setsecurity() and
> return -EOPNOTSUPP in that case. We already return -EOPNOTSUPP from
> selinux_inode_setxattr() if (!(sbsec->flags & SBLABEL_MNT)) and that
> should precede other calls to selinux_inode_setsecurity() IIRC.
Maybe, but see below. In selinux_inode_setsecurity() we should indeed
check for SBLABEL_MNT, but only if it is called directly as a hook
(but I'm not sure if it is worth it in this case, since as you say, a
prior selinux_inode_setxattr() failure should always prevent this hook
from being called). selinux_inode_notifysecctx() has a bit different
semantics, IMHO.
> Should we just be checking SBLABEL_MNT here instead?
I don't think so. IIUC, the purpose of selinux_inode_notifysecctx() is
to adjust the sid that has been assigned by selinux_d_instantiate() by
the label that is 'stored' for the particular node internally by the
filesystem. I would say the fact whether we want to use the stored
label depends on the sbsec->behavior value (BTW, shouldn't we also
return 0 in case of SECURITY_FS_USE_TASK? or even
SECURITY_FS_USE_TRANS?). I understand the SBLABEL_MNT flag more as an
indication of whether we want the user to allow setting the label
explicitly (and probably also implicitly via tsec->create_sid).
> And do we need to separately check SE_SBINITIALIZED?
I'm not sure, but other places in the code check that flag before
checking sbsec->behavior, so it seemed to me as the right thing to do.
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
next prev parent reply other threads:[~2018-12-18 15:50 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-13 14:17 [RFC PATCH 0/3] Fix SELinux context mount with the cgroup filesystem Ondrej Mosnacek
2018-12-13 14:17 ` [RFC PATCH 1/3] cgroup: fix parsing empty mount option string Ondrej Mosnacek
2018-12-13 16:03 ` Tejun Heo
2018-12-28 15:14 ` Ondrej Mosnacek
2018-12-28 18:32 ` Tejun Heo
2018-12-13 14:17 ` [RFC PATCH 2/3] selinux: never allow relabeling on context mounts Ondrej Mosnacek
2018-12-13 16:18 ` Stephen Smalley
2018-12-18 15:38 ` Ondrej Mosnacek
2018-12-13 14:17 ` [RFC PATCH 3/3] selinux: do not override context " Ondrej Mosnacek
2018-12-13 16:27 ` Stephen Smalley
2018-12-18 15:50 ` Ondrej Mosnacek [this message]
2018-12-18 19:22 ` Stephen Smalley
2018-12-19 11:44 ` Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFqZXNvVw0tfxYAphm-Yibhy5JoeP2SzvUb_QDRPnNtJRTCGcA@mail.gmail.com \
--to=omosnace@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=lizefan@huawei.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).