| From a83d6ddaebe541570291205cb538e35ad4ff94f9 Mon Sep 17 00:00:00 2001 |
| From: Ondrej Mosnacek <omosnace@redhat.com> |
| Date: Fri, 21 Dec 2018 21:18:52 +0100 |
| Subject: selinux: never allow relabeling on context mounts |
| |
| From: Ondrej Mosnacek <omosnace@redhat.com> |
| |
| commit a83d6ddaebe541570291205cb538e35ad4ff94f9 upstream. |
| |
| In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling |
| files/directories, so we should never set the SBLABEL_MNT flag. The |
| 'special handling' in selinux_is_sblabel_mnt() is only intended for when |
| the behavior is set to SECURITY_FS_USE_GENFS. |
| |
| While there, make the logic in selinux_is_sblabel_mnt() more explicit |
| and add a BUILD_BUG_ON() to make sure that introducing a new |
| SECURITY_FS_USE_* forces a review of the logic. |
| |
| Fixes: d5f3a5f6e7e7 ("selinux: add security in-core xattr support for pstore and debugfs") |
| Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> |
| Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> |
| Signed-off-by: Paul Moore <paul@paul-moore.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| security/selinux/hooks.c | 40 +++++++++++++++++++++++++++++++--------- |
| 1 file changed, 31 insertions(+), 9 deletions(-) |
| |
| --- a/security/selinux/hooks.c |
| +++ b/security/selinux/hooks.c |
| @@ -534,16 +534,10 @@ static int may_context_mount_inode_relab |
| return rc; |
| } |
| |
| -static int selinux_is_sblabel_mnt(struct super_block *sb) |
| +static int selinux_is_genfs_special_handling(struct super_block *sb) |
| { |
| - struct superblock_security_struct *sbsec = sb->s_security; |
| - |
| - return sbsec->behavior == SECURITY_FS_USE_XATTR || |
| - sbsec->behavior == SECURITY_FS_USE_TRANS || |
| - sbsec->behavior == SECURITY_FS_USE_TASK || |
| - sbsec->behavior == SECURITY_FS_USE_NATIVE || |
| - /* Special handling. Genfs but also in-core setxattr handler */ |
| - !strcmp(sb->s_type->name, "sysfs") || |
| + /* Special handling. Genfs but also in-core setxattr handler */ |
| + return !strcmp(sb->s_type->name, "sysfs") || |
| !strcmp(sb->s_type->name, "pstore") || |
| !strcmp(sb->s_type->name, "debugfs") || |
| !strcmp(sb->s_type->name, "tracefs") || |
| @@ -553,6 +547,34 @@ static int selinux_is_sblabel_mnt(struct |
| !strcmp(sb->s_type->name, "cgroup2"))); |
| } |
| |
| +static int selinux_is_sblabel_mnt(struct super_block *sb) |
| +{ |
| + struct superblock_security_struct *sbsec = sb->s_security; |
| + |
| + /* |
| + * IMPORTANT: Double-check logic in this function when adding a new |
| + * SECURITY_FS_USE_* definition! |
| + */ |
| + BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); |
| + |
| + switch (sbsec->behavior) { |
| + case SECURITY_FS_USE_XATTR: |
| + case SECURITY_FS_USE_TRANS: |
| + case SECURITY_FS_USE_TASK: |
| + case SECURITY_FS_USE_NATIVE: |
| + return 1; |
| + |
| + case SECURITY_FS_USE_GENFS: |
| + return selinux_is_genfs_special_handling(sb); |
| + |
| + /* Never allow relabeling on context mounts */ |
| + case SECURITY_FS_USE_MNTPOINT: |
| + case SECURITY_FS_USE_NONE: |
| + default: |
| + return 0; |
| + } |
| +} |
| + |
| static int sb_finish_set_opts(struct super_block *sb) |
| { |
| struct superblock_security_struct *sbsec = sb->s_security; |