[PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

[PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

[Vivek Goyal]

Now overlayfs allow unpriviliged mounts. That is root inside a non-init
user namespace can mount overlayfs. This is being added in 5.11 kernel.

Giuseppe tried to mount overlayfs with option "context" and it failed
with error -EACCESS.

$ su test
$ unshare -rm
$ mkdir -p lower upper work merged
$ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged

This fails with -EACCESS. It works if option "-o context" is not specified.

Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.

So this patch adds "overlay" to the list, where it is fine to specific
context from non init_user_ns.

v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
    being added in 5.11 and not in 5.10 kernel.

Reported-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 security/selinux/hooks.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: redhat-linux/security/selinux/hooks.c
===================================================================
--- redhat-linux.orig/security/selinux/hooks.c	2021-02-09 10:56:12.954988476 -0500
+++ redhat-linux/security/selinux/hooks.c	2021-02-09 14:36:33.136205330 -0500
@@ -733,7 +733,8 @@ static int selinux_set_mnt_opts(struct s
 	if (sb->s_user_ns != &init_user_ns &&
 	    strcmp(sb->s_type->name, "tmpfs") &&
 	    strcmp(sb->s_type->name, "ramfs") &&
-	    strcmp(sb->s_type->name, "devpts")) {
+	    strcmp(sb->s_type->name, "devpts") &&
+	    strcmp(sb->s_type->name, "overlay")) {
 		if (context_sid || fscontext_sid || rootcontext_sid ||
 		    defcontext_sid) {
 			rc = -EACCES;

Re: [PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

[Paul Moore]

On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@redhat.com> wrote:
>
> Now overlayfs allow unpriviliged mounts. That is root inside a non-init
> user namespace can mount overlayfs. This is being added in 5.11 kernel.
>
> Giuseppe tried to mount overlayfs with option "context" and it failed
> with error -EACCESS.
>
> $ su test
> $ unshare -rm
> $ mkdir -p lower upper work merged
> $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged
>
> This fails with -EACCESS. It works if option "-o context" is not specified.
>
> Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.
>
> So this patch adds "overlay" to the list, where it is fine to specific
> context from non init_user_ns.
>
> v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
>     being added in 5.11 and not in 5.10 kernel.
>
> Reported-by: Giuseppe Scrivano <gscrivan@redhat.com>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> ---
>  security/selinux/hooks.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Thanks Vivek, once the merge window closes I'll merge this into
selinux/next and send a note to this thread.

-- 
paul moore
www.paul-moore.com

Re: [PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

[Daniel Walsh]

On 2/11/21 16:24, Paul Moore wrote:
> On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@redhat.com> wrote:
>> Now overlayfs allow unpriviliged mounts. That is root inside a non-init
>> user namespace can mount overlayfs. This is being added in 5.11 kernel.
>>
>> Giuseppe tried to mount overlayfs with option "context" and it failed
>> with error -EACCESS.
>>
>> $ su test
>> $ unshare -rm
>> $ mkdir -p lower upper work merged
>> $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged
>>
>> This fails with -EACCESS. It works if option "-o context" is not specified.
>>
>> Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.
>>
>> So this patch adds "overlay" to the list, where it is fine to specific
>> context from non init_user_ns.
>>
>> v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
>>      being added in 5.11 and not in 5.10 kernel.
>>
>> Reported-by: Giuseppe Scrivano <gscrivan@redhat.com>
>> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
>> ---
>>   security/selinux/hooks.c |    3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
> Thanks Vivek, once the merge window closes I'll merge this into
> selinux/next and send a note to this thread.
>
In order for us to take advantage of rootless overlay we need this 
feature ASAP.

Re: [PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

[Paul Moore]

On Thu, Feb 11, 2021 at 5:41 PM Daniel Walsh <dwalsh@redhat.com> wrote:
> On 2/11/21 16:24, Paul Moore wrote:
> > On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> >> Now overlayfs allow unpriviliged mounts. That is root inside a non-init
> >> user namespace can mount overlayfs. This is being added in 5.11 kernel.
> >>
> >> Giuseppe tried to mount overlayfs with option "context" and it failed
> >> with error -EACCESS.
> >>
> >> $ su test
> >> $ unshare -rm
> >> $ mkdir -p lower upper work merged
> >> $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged
> >>
> >> This fails with -EACCESS. It works if option "-o context" is not specified.
> >>
> >> Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.
> >>
> >> So this patch adds "overlay" to the list, where it is fine to specific
> >> context from non init_user_ns.
> >>
> >> v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
> >>      being added in 5.11 and not in 5.10 kernel.
> >>
> >> Reported-by: Giuseppe Scrivano <gscrivan@redhat.com>
> >> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> >> ---
> >>   security/selinux/hooks.c |    3 ++-
> >>   1 file changed, 2 insertions(+), 1 deletion(-)
> > Thanks Vivek, once the merge window closes I'll merge this into
> > selinux/next and send a note to this thread.
>
> In order for us to take advantage of rootless overlay we need this
> feature ASAP.

It will get merged into selinux/next *after* this upcoming merge
window.  I'm sorry, but -rc7 is just too late for new functionality;
kernel changes need to soak before hitting Linus' tree and with the
merge window opening in about three days that simply isn't enough
time.  Come on Dan, even you have to know that ...

-- 
paul moore
www.paul-moore.com

Re: [PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

[Daniel Walsh]

On 2/11/21 18:28, Paul Moore wrote:
> On Thu, Feb 11, 2021 at 5:41 PM Daniel Walsh <dwalsh@redhat.com> wrote:
>> On 2/11/21 16:24, Paul Moore wrote:
>>> On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@redhat.com> wrote:
>>>> Now overlayfs allow unpriviliged mounts. That is root inside a non-init
>>>> user namespace can mount overlayfs. This is being added in 5.11 kernel.
>>>>
>>>> Giuseppe tried to mount overlayfs with option "context" and it failed
>>>> with error -EACCESS.
>>>>
>>>> $ su test
>>>> $ unshare -rm
>>>> $ mkdir -p lower upper work merged
>>>> $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged
>>>>
>>>> This fails with -EACCESS. It works if option "-o context" is not specified.
>>>>
>>>> Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.
>>>>
>>>> So this patch adds "overlay" to the list, where it is fine to specific
>>>> context from non init_user_ns.
>>>>
>>>> v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
>>>>       being added in 5.11 and not in 5.10 kernel.
>>>>
>>>> Reported-by: Giuseppe Scrivano <gscrivan@redhat.com>
>>>> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
>>>> ---
>>>>    security/selinux/hooks.c |    3 ++-
>>>>    1 file changed, 2 insertions(+), 1 deletion(-)
>>> Thanks Vivek, once the merge window closes I'll merge this into
>>> selinux/next and send a note to this thread.
>> In order for us to take advantage of rootless overlay we need this
>> feature ASAP.
> It will get merged into selinux/next *after* this upcoming merge
> window.  I'm sorry, but -rc7 is just too late for new functionality;
> kernel changes need to soak before hitting Linus' tree and with the
> merge window opening in about three days that simply isn't enough
> time.  Come on Dan, even you have to know that ...
>
Well if that is ASAP, then fine, next window. Sadly this delays us three 
months

from getting this feature out and tested, but we can live with this.  
Once it gets into

a Release candidate we can push people to Rawhide to begin testing it.

Re: [PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

[Paul Moore]

On Fri, Feb 12, 2021 at 6:58 AM Daniel Walsh <dwalsh@redhat.com> wrote:
> On 2/11/21 18:28, Paul Moore wrote:
> > It will get merged into selinux/next *after* this upcoming merge
> > window.  I'm sorry, but -rc7 is just too late for new functionality;
> > kernel changes need to soak before hitting Linus' tree and with the
> > merge window opening in about three days that simply isn't enough
> > time.  Come on Dan, even you have to know that ...
>
> Well if that is ASAP, then fine, next window. Sadly this delays us three
> months from getting this feature out and tested, but we can live with this.

It's consistent with the policy I've been following for years at this
point, regular SELinux (and audit) kernel contributors as well as
people who follow the related lists should be well aware of this by
now.  If you look at the SELinux kernel tree you'll find this
documented in the README.md file in the top level directory; here is
the relevant excerpt:

"Patches will be merged into the subsystem's next branch during the
development cycle which extends from merge window close up until the
merge window reopens. However, it is important to note that large,
complicated, or invasive patches sent late in the development cycle
may be deferred until the next cycle. As a general rule, only small
patches or critical fixes will be merged after -rc5/-rc6."

https://github.com/SELinuxProject/selinux-kernel
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/tree/README.md

> Once it gets into a Release candidate we can push people to Rawhide to begin testing it.

As a reminder, once a patch hits the selinux/next branch it should
show up in my kernel-secnext builds within about an hour (+/- 30m
depending on the time and day).  Currently packages are only built for
Fedora Rawhide (source, x86_64, aarch64), but I still have aspirations
for providing Debian sid packages someday.

https://paul-moore.com/blog/d/2019/04/kernel_secnext_repo.html

-- 
paul moore
www.paul-moore.com

Re: [PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

[Paul Moore]

On Thu, Feb 11, 2021 at 4:24 PM Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> >
> > Now overlayfs allow unpriviliged mounts. That is root inside a non-init
> > user namespace can mount overlayfs. This is being added in 5.11 kernel.
> >
> > Giuseppe tried to mount overlayfs with option "context" and it failed
> > with error -EACCESS.
> >
> > $ su test
> > $ unshare -rm
> > $ mkdir -p lower upper work merged
> > $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged
> >
> > This fails with -EACCESS. It works if option "-o context" is not specified.
> >
> > Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.
> >
> > So this patch adds "overlay" to the list, where it is fine to specific
> > context from non init_user_ns.
> >
> > v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
> >     being added in 5.11 and not in 5.10 kernel.
> >
> > Reported-by: Giuseppe Scrivano <gscrivan@redhat.com>
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> > ---
> >  security/selinux/hooks.c |    3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
>
> Thanks Vivek, once the merge window closes I'll merge this into
> selinux/next and send a note to this thread.

I just merged this into my local selinux/next and will be pushing it
to kernel.org later tonight.  Thanks!

-- 
paul moore
www.paul-moore.com