rpms / kernel

Clone
Source Code
GIT

Blame selinux-namespace-fix.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   324841e6242e466f808961cbbed55842bf8bee29
  2.   selinux-namespace-fix.patch
Blob History Raw
0ad9385 
From 4a49d45dd58994f4fc9b40c502252403caadee88 Mon Sep 17 00:00:00 2001
0ad9385 
From: Stephen Smalley <sds@tycho.nsa.gov>
0ad9385 
Date: Thu, 8 Dec 2016 09:14:47 -0500
0ad9385 
Subject: [PATCH] selinux: allow context mounts on tmpfs, ramfs, devpts within
0ad9385 
 user namespaces
0ad9385
0ad9385 
commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for
0ad9385 
unprivileged mounts from user namespaces") prohibited any use of context
0ad9385 
mount options within non-init user namespaces.  However, this breaks
0ad9385 
use of context mount options for tmpfs mounts within user namespaces,
0ad9385 
which are being used by Docker/runc.  There is no reason to block such
0ad9385 
usage for tmpfs, ramfs or devpts.  Exempt these filesystem types
0ad9385 
from this restriction.
0ad9385
0ad9385 
Before:
0ad9385 
sh$ userns_child_exec  -p -m -U -M '0 1000 1' -G '0 1000 1' bash
0ad9385 
sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
0ad9385 
mount: tmpfs is write-protected, mounting read-only
0ad9385 
mount: cannot mount tmpfs read-only
0ad9385
0ad9385 
After:
0ad9385 
sh$ userns_child_exec  -p -m -U -M '0 1000 1' -G '0 1000 1' bash
0ad9385 
sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
0ad9385 
sh# ls -Zd /tmp
0ad9385 
unconfined_u:object_r:user_tmp_t:s0:c13 /tmp
0ad9385
0ad9385 
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
0ad9385 
Signed-off-by: Paul Moore <paul@paul-moore.com>
0ad9385 
---
0ad9385 
 security/selinux/hooks.c | 10 +++++++---
0ad9385 
 1 file changed, 7 insertions(+), 3 deletions(-)
0ad9385
0ad9385 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
0ad9385 
index b508a5a..e7c5481 100644
0ad9385 
--- a/security/selinux/hooks.c
0ad9385 
+++ b/security/selinux/hooks.c
0ad9385 
@@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
0ad9385 
 	}
0ad9385
0ad9385 
 	/*
0ad9385 
-	 * If this is a user namespace mount, no contexts are allowed
0ad9385 
-	 * on the command line and security labels must be ignored.
0ad9385 
+	 * If this is a user namespace mount and the filesystem type is not
0ad9385 
+	 * explicitly whitelisted, then no contexts are allowed on the command
0ad9385 
+	 * line and security labels must be ignored.
0ad9385 
 	 */
0ad9385 
-	if (sb->s_user_ns != &init_user_ns) {
0ad9385 
+	if (sb->s_user_ns != &init_user_ns &&
0ad9385 
+	    strcmp(sb->s_type->name, "tmpfs") &&
0ad9385 
+	    strcmp(sb->s_type->name, "ramfs") &&
0ad9385 
+	    strcmp(sb->s_type->name, "devpts")) {
0ad9385 
 		if (context_sid || fscontext_sid || rootcontext_sid ||
0ad9385 
 		    defcontext_sid) {
0ad9385 
 			rc = -EACCES;
0ad9385 
--
0ad9385 
2.4.11
0ad9385
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.