diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2017-01-09 16:07:31 +0100 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2017-01-09 16:07:31 +0100 |
commit | 01593d3299a1cfdb5e08acf95f63ec59dd674906 (patch) | |
tree | 8effe4c871d480da9ac231fbeaab8caf68c9252b | |
parent | selinux: handle ICMPv6 consistently with ICMP (diff) | |
download | linux-01593d3299a1cfdb5e08acf95f63ec59dd674906.tar.xz linux-01593d3299a1cfdb5e08acf95f63ec59dd674906.zip |
selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for
unprivileged mounts from user namespaces") prohibited any use of context
mount options within non-init user namespaces. However, this breaks
use of context mount options for tmpfs mounts within user namespaces,
which are being used by Docker/runc. There is no reason to block such
usage for tmpfs, ramfs or devpts. Exempt these filesystem types
from this restriction.
Before:
sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash
sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
mount: tmpfs is write-protected, mounting read-only
mount: cannot mount tmpfs read-only
After:
sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash
sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
sh# ls -Zd /tmp
unconfined_u:object_r:user_tmp_t:s0:c13 /tmp
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r-- | security/selinux/hooks.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e4b953f760dd..e32f4b5f23a5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, } /* - * If this is a user namespace mount, no contexts are allowed - * on the command line and security labels must be ignored. + * If this is a user namespace mount and the filesystem type is not + * explicitly whitelisted, then no contexts are allowed on the command + * line and security labels must be ignored. */ - if (sb->s_user_ns != &init_user_ns) { + if (sb->s_user_ns != &init_user_ns && + strcmp(sb->s_type->name, "tmpfs") && + strcmp(sb->s_type->name, "ramfs") && + strcmp(sb->s_type->name, "devpts")) { if (context_sid || fscontext_sid || rootcontext_sid || defcontext_sid) { rc = -EACCES; |