releases/4.14.111/selinux-do-not-override-context-on-context-mounts.patch

   1 From 849a49e6952a6f0eaf735f4e8ebeb178a228ad34 Mon Sep 17 00:00:00 2001
   2 From: Ondrej Mosnacek <omosnace@redhat.com>
   3 Date: Fri, 21 Dec 2018 21:18:53 +0100
   4 Subject: selinux: do not override context on context mounts
   5
   6 [ Upstream commit 53e0c2aa9a59a48e3798ef193d573ade85aa80f5 ]
   7
   8 Ignore all selinux_inode_notifysecctx() calls on mounts with SBLABEL_MNT
   9 flag unset. This is achived by returning -EOPNOTSUPP for this case in
  10 selinux_inode_setsecurtity() (because that function should not be called
  11 in such case anyway) and translating this error to 0 in
  12 selinux_inode_notifysecctx().
  13
  14 This fixes behavior of kernfs-based filesystems when mounted with the
  15 'context=' option. Before this patch, if a node's context had been
  16 explicitly set to a non-default value and later the filesystem has been
  17 remounted with the 'context=' option, then this node would show up as
  18 having the manually-set context and not the mount-specified one.
  19
  20 Steps to reproduce:
  21     # mount -t cgroup2 cgroup2 /sys/fs/cgroup/unified
  22     # chcon unconfined_u:object_r:user_home_t:s0 /sys/fs/cgroup/unified/cgroup.stat
  23     # ls -lZ /sys/fs/cgroup/unified
  24     total 0
  25     -r--r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.controllers
  26     -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.max.depth
  27     -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.max.descendants
  28     -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.procs
  29     -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
  30     -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.subtree_control
  31     -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0        0 Dec 13 10:41 cgroup.threads
  32     # umount /sys/fs/cgroup/unified
  33     # mount -o context=system_u:object_r:tmpfs_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified
  34
  35 Result before:
  36     # ls -lZ /sys/fs/cgroup/unified
  37     total 0
  38     -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.controllers
  39     -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.max.depth
  40     -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.max.descendants
  41     -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.procs
  42     -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
  43     -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.subtree_control
  44     -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0         0 Dec 13 10:41 cgroup.threads
  45
  46 Result after:
  47     # ls -lZ /sys/fs/cgroup/unified
  48     total 0
  49     -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers
  50     -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth
  51     -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants
  52     -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs
  53     -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.stat
  54     -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control
  55     -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads
  56
  57 Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
  58 Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
  59 Signed-off-by: Paul Moore <paul@paul-moore.com>
  60 Signed-off-by: Sasha Levin <sashal@kernel.org>
  61 ---
  62  security/selinux/hooks.c | 9 ++++++++-
  63  1 file changed, 8 insertions(+), 1 deletion(-)
  64
  65 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
  66 index a5d9c0146ac3..b72aa48f6478 100644
  67 --- a/security/selinux/hooks.c
  68 +++ b/security/selinux/hooks.c
  69 @@ -3339,12 +3339,16 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
  70                                      const void *value, size_t size, int flags)
  71  {
  72         struct inode_security_struct *isec = inode_security_novalidate(inode);
  73 +       struct superblock_security_struct *sbsec = inode->i_sb->s_security;
  74         u32 newsid;
  75         int rc;
  76
  77         if (strcmp(name, XATTR_SELINUX_SUFFIX))
  78                 return -EOPNOTSUPP;
  79
  80 +       if (!(sbsec->flags & SBLABEL_MNT))
  81 +               return -EOPNOTSUPP;
  82 +
  83         if (!value || !size)
  84                 return -EACCES;
  85
  86 @@ -6103,7 +6107,10 @@ static void selinux_inode_invalidate_secctx(struct inode *inode)
  87   */
  88  static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
  89  {
  90 -       return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
  91 +       int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
  92 +                                          ctx, ctxlen, 0);
  93 +       /* Do not return error when suppressing label (SBLABEL_MNT not set). */
  94 +       return rc == -EOPNOTSUPP ? 0 : rc;
  95  }
  96
  97  /*
  98 --
  99 2.19.1
 100