|
|
0ad9385 |
From 4a49d45dd58994f4fc9b40c502252403caadee88 Mon Sep 17 00:00:00 2001
|
|
|
0ad9385 |
From: Stephen Smalley <sds@tycho.nsa.gov>
|
|
|
0ad9385 |
Date: Thu, 8 Dec 2016 09:14:47 -0500
|
|
|
0ad9385 |
Subject: [PATCH] selinux: allow context mounts on tmpfs, ramfs, devpts within
|
|
|
0ad9385 |
user namespaces
|
|
|
0ad9385 |
|
|
|
0ad9385 |
commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for
|
|
|
0ad9385 |
unprivileged mounts from user namespaces") prohibited any use of context
|
|
|
0ad9385 |
mount options within non-init user namespaces. However, this breaks
|
|
|
0ad9385 |
use of context mount options for tmpfs mounts within user namespaces,
|
|
|
0ad9385 |
which are being used by Docker/runc. There is no reason to block such
|
|
|
0ad9385 |
usage for tmpfs, ramfs or devpts. Exempt these filesystem types
|
|
|
0ad9385 |
from this restriction.
|
|
|
0ad9385 |
|
|
|
0ad9385 |
Before:
|
|
|
0ad9385 |
sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash
|
|
|
0ad9385 |
sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
|
|
|
0ad9385 |
mount: tmpfs is write-protected, mounting read-only
|
|
|
0ad9385 |
mount: cannot mount tmpfs read-only
|
|
|
0ad9385 |
|
|
|
0ad9385 |
After:
|
|
|
0ad9385 |
sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash
|
|
|
0ad9385 |
sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
|
|
|
0ad9385 |
sh# ls -Zd /tmp
|
|
|
0ad9385 |
unconfined_u:object_r:user_tmp_t:s0:c13 /tmp
|
|
|
0ad9385 |
|
|
|
0ad9385 |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
|
0ad9385 |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
0ad9385 |
---
|
|
|
0ad9385 |
security/selinux/hooks.c | 10 +++++++---
|
|
|
0ad9385 |
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
|
0ad9385 |
|
|
|
0ad9385 |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
|
|
0ad9385 |
index b508a5a..e7c5481 100644
|
|
|
0ad9385 |
--- a/security/selinux/hooks.c
|
|
|
0ad9385 |
+++ b/security/selinux/hooks.c
|
|
|
0ad9385 |
@@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
|
|
|
0ad9385 |
}
|
|
|
0ad9385 |
|
|
|
0ad9385 |
/*
|
|
|
0ad9385 |
- * If this is a user namespace mount, no contexts are allowed
|
|
|
0ad9385 |
- * on the command line and security labels must be ignored.
|
|
|
0ad9385 |
+ * If this is a user namespace mount and the filesystem type is not
|
|
|
0ad9385 |
+ * explicitly whitelisted, then no contexts are allowed on the command
|
|
|
0ad9385 |
+ * line and security labels must be ignored.
|
|
|
0ad9385 |
*/
|
|
|
0ad9385 |
- if (sb->s_user_ns != &init_user_ns) {
|
|
|
0ad9385 |
+ if (sb->s_user_ns != &init_user_ns &&
|
|
|
0ad9385 |
+ strcmp(sb->s_type->name, "tmpfs") &&
|
|
|
0ad9385 |
+ strcmp(sb->s_type->name, "ramfs") &&
|
|
|
0ad9385 |
+ strcmp(sb->s_type->name, "devpts")) {
|
|
|
0ad9385 |
if (context_sid || fscontext_sid || rootcontext_sid ||
|
|
|
0ad9385 |
defcontext_sid) {
|
|
|
0ad9385 |
rc = -EACCES;
|
|
|
0ad9385 |
--
|
|
|
0ad9385 |
2.4.11
|
|
|
0ad9385 |
|