summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2017-01-09 10:07:31 -0500
committerPaul Moore <paul@paul-moore.com>2017-01-09 10:07:31 -0500
commit01593d3299a1cfdb5e08acf95f63ec59dd674906 (patch)
tree8effe4c871d480da9ac231fbeaab8caf68c9252b /security
parentef37979a2cfa3905adbf0c2a681ce16c0aaea92d (diff)
downloadlinux-01593d3299a1cfdb5e08acf95f63ec59dd674906.tar.gz
linux-01593d3299a1cfdb5e08acf95f63ec59dd674906.tar.bz2
linux-01593d3299a1cfdb5e08acf95f63ec59dd674906.zip
selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for unprivileged mounts from user namespaces") prohibited any use of context mount options within non-init user namespaces. However, this breaks use of context mount options for tmpfs mounts within user namespaces, which are being used by Docker/runc. There is no reason to block such usage for tmpfs, ramfs or devpts. Exempt these filesystem types from this restriction. Before: sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp mount: tmpfs is write-protected, mounting read-only mount: cannot mount tmpfs read-only After: sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp sh# ls -Zd /tmp unconfined_u:object_r:user_tmp_t:s0:c13 /tmp Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e4b953f760dd..e32f4b5f23a5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
}
/*
- * If this is a user namespace mount, no contexts are allowed
- * on the command line and security labels must be ignored.
+ * If this is a user namespace mount and the filesystem type is not
+ * explicitly whitelisted, then no contexts are allowed on the command
+ * line and security labels must be ignored.
*/
- if (sb->s_user_ns != &init_user_ns) {
+ if (sb->s_user_ns != &init_user_ns &&
+ strcmp(sb->s_type->name, "tmpfs") &&
+ strcmp(sb->s_type->name, "ramfs") &&
+ strcmp(sb->s_type->name, "devpts")) {
if (context_sid || fscontext_sid || rootcontext_sid ||
defcontext_sid) {
rc = -EACCES;