diff options
Diffstat (limited to 'selinux-namespace-fix.patch')
| -rw-r--r-- | selinux-namespace-fix.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/selinux-namespace-fix.patch b/selinux-namespace-fix.patch new file mode 100644 index 000000000..f94ec15d8 --- /dev/null +++ b/selinux-namespace-fix.patch @@ -0,0 +1,57 @@ +From 4a49d45dd58994f4fc9b40c502252403caadee88 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <sds@tycho.nsa.gov> +Date: Thu, 8 Dec 2016 09:14:47 -0500 +Subject: [PATCH] selinux: allow context mounts on tmpfs, ramfs, devpts within + user namespaces + +commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for +unprivileged mounts from user namespaces") prohibited any use of context +mount options within non-init user namespaces. However, this breaks +use of context mount options for tmpfs mounts within user namespaces, +which are being used by Docker/runc. There is no reason to block such +usage for tmpfs, ramfs or devpts. Exempt these filesystem types +from this restriction. + +Before: +sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash +sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp +mount: tmpfs is write-protected, mounting read-only +mount: cannot mount tmpfs read-only + +After: +sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash +sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp +sh# ls -Zd /tmp +unconfined_u:object_r:user_tmp_t:s0:c13 /tmp + +Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> +Signed-off-by: Paul Moore <paul@paul-moore.com> +--- + security/selinux/hooks.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index b508a5a..e7c5481 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, + } + + /* +- * If this is a user namespace mount, no contexts are allowed +- * on the command line and security labels must be ignored. ++ * If this is a user namespace mount and the filesystem type is not ++ * explicitly whitelisted, then no contexts are allowed on the command ++ * line and security labels must be ignored. + */ +- if (sb->s_user_ns != &init_user_ns) { ++ if (sb->s_user_ns != &init_user_ns && ++ strcmp(sb->s_type->name, "tmpfs") && ++ strcmp(sb->s_type->name, "ramfs") && ++ strcmp(sb->s_type->name, "devpts")) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; +-- +2.4.11 + |