diff options
Diffstat (limited to 'selinux-allow-context-mounts-on-tmpfs-etc.patch')
-rw-r--r-- | selinux-allow-context-mounts-on-tmpfs-etc.patch | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/selinux-allow-context-mounts-on-tmpfs-etc.patch b/selinux-allow-context-mounts-on-tmpfs-etc.patch deleted file mode 100644 index cbb5b8cdf..000000000 --- a/selinux-allow-context-mounts-on-tmpfs-etc.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 01593d3299a1cfdb5e08acf95f63ec59dd674906 Mon Sep 17 00:00:00 2001 -From: Stephen Smalley <sds@tycho.nsa.gov> -Date: Mon, 9 Jan 2017 10:07:31 -0500 -Subject: [PATCH] selinux: allow context mounts on tmpfs, ramfs, devpts within - user namespaces - -commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for -unprivileged mounts from user namespaces") prohibited any use of context -mount options within non-init user namespaces. However, this breaks -use of context mount options for tmpfs mounts within user namespaces, -which are being used by Docker/runc. There is no reason to block such -usage for tmpfs, ramfs or devpts. Exempt these filesystem types -from this restriction. - -Before: -sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash -sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp -mount: tmpfs is write-protected, mounting read-only -mount: cannot mount tmpfs read-only - -After: -sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash -sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp -sh# ls -Zd /tmp -unconfined_u:object_r:user_tmp_t:s0:c13 /tmp - -Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> -Signed-off-by: Paul Moore <paul@paul-moore.com> ---- - security/selinux/hooks.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index e4b953f..e32f4b5 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, - } - - /* -- * If this is a user namespace mount, no contexts are allowed -- * on the command line and security labels must be ignored. -+ * If this is a user namespace mount and the filesystem type is not -+ * explicitly whitelisted, then no contexts are allowed on the command -+ * line and security labels must be ignored. - */ -- if (sb->s_user_ns != &init_user_ns) { -+ if (sb->s_user_ns != &init_user_ns && -+ strcmp(sb->s_type->name, "tmpfs") && -+ strcmp(sb->s_type->name, "ramfs") && -+ strcmp(sb->s_type->name, "devpts")) { - if (context_sid || fscontext_sid || rootcontext_sid || - defcontext_sid) { - rc = -EACCES; --- -2.9.3 - |