projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| ab5a003b GKH |
1 | From a83d6ddaebe541570291205cb538e35ad4ff94f9 Mon Sep 17 00:00:00 2001 |
| 2 | From: Ondrej Mosnacek <omosnace@redhat.com> | |
| 3 | Date: Fri, 21 Dec 2018 21:18:52 +0100 | |
| 4 | Subject: selinux: never allow relabeling on context mounts | |
| 5 | ||
| 6 | From: Ondrej Mosnacek <omosnace@redhat.com> | |
| 7 | ||
| 8 | commit a83d6ddaebe541570291205cb538e35ad4ff94f9 upstream. | |
| 9 | ||
| 10 | In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling | |
| 11 | files/directories, so we should never set the SBLABEL_MNT flag. The | |
| 12 | 'special handling' in selinux_is_sblabel_mnt() is only intended for when | |
| 13 | the behavior is set to SECURITY_FS_USE_GENFS. | |
| 14 | ||
| 15 | While there, make the logic in selinux_is_sblabel_mnt() more explicit | |
| 16 | and add a BUILD_BUG_ON() to make sure that introducing a new | |
| 17 | SECURITY_FS_USE_* forces a review of the logic. | |
| 18 | ||
| 19 | Fixes: d5f3a5f6e7e7 ("selinux: add security in-core xattr support for pstore and debugfs") | |
| 20 | Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> | |
| 21 | Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> | |
| 22 | Signed-off-by: Paul Moore <paul@paul-moore.com> | |
| 23 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 24 | ||
| 25 | --- | |
| 26 | security/selinux/hooks.c | 40 +++++++++++++++++++++++++++++++--------- | |
| 27 | 1 file changed, 31 insertions(+), 9 deletions(-) | |
| 28 | ||
| 29 | --- a/security/selinux/hooks.c | |
| 30 | +++ b/security/selinux/hooks.c | |
| 31 | @@ -396,21 +396,43 @@ static int may_context_mount_inode_relab | |
| 32 | return rc; | |
| 33 | } | |
| 34 | ||
| 35 | -static int selinux_is_sblabel_mnt(struct super_block *sb) | |
| 36 | +static int selinux_is_genfs_special_handling(struct super_block *sb) | |
| 37 | { | |
| 38 | - struct superblock_security_struct *sbsec = sb->s_security; | |
| 39 | - | |
| 40 | - return sbsec->behavior == SECURITY_FS_USE_XATTR || | |
| 41 | - sbsec->behavior == SECURITY_FS_USE_TRANS || | |
| 42 | - sbsec->behavior == SECURITY_FS_USE_TASK || | |
| 43 | - sbsec->behavior == SECURITY_FS_USE_NATIVE || | |
| 44 | - /* Special handling. Genfs but also in-core setxattr handler */ | |
| 45 | - !strcmp(sb->s_type->name, "sysfs") || | |
| 46 | + /* Special handling. Genfs but also in-core setxattr handler */ | |
| 47 | + return !strcmp(sb->s_type->name, "sysfs") || | |
| 48 | !strcmp(sb->s_type->name, "pstore") || | |
| 49 | !strcmp(sb->s_type->name, "debugfs") || | |
| 50 | !strcmp(sb->s_type->name, "rootfs"); | |
| 51 | } | |
| 52 | ||
| 53 | +static int selinux_is_sblabel_mnt(struct super_block *sb) | |
| 54 | +{ | |
| 55 | + struct superblock_security_struct *sbsec = sb->s_security; | |
| 56 | + | |
| 57 | + /* | |
| 58 | + * IMPORTANT: Double-check logic in this function when adding a new | |
| 59 | + * SECURITY_FS_USE_* definition! | |
| 60 | + */ | |
| 61 | + BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); | |
| 62 | + | |
| 63 | + switch (sbsec->behavior) { | |
| 64 | + case SECURITY_FS_USE_XATTR: | |
| 65 | + case SECURITY_FS_USE_TRANS: | |
| 66 | + case SECURITY_FS_USE_TASK: | |
| 67 | + case SECURITY_FS_USE_NATIVE: | |
| 68 | + return 1; | |
| 69 | + | |
| 70 | + case SECURITY_FS_USE_GENFS: | |
| 71 | + return selinux_is_genfs_special_handling(sb); | |
| 72 | + | |
| 73 | + /* Never allow relabeling on context mounts */ | |
| 74 | + case SECURITY_FS_USE_MNTPOINT: | |
| 75 | + case SECURITY_FS_USE_NONE: | |
| 76 | + default: | |
| 77 | + return 0; | |
| 78 | + } | |
| 79 | +} | |
| 80 | + | |
| 81 | static int sb_finish_set_opts(struct super_block *sb) | |
| 82 | { | |
| 83 | struct superblock_security_struct *sbsec = sb->s_security; |