From patchwork Thu Jan 25 03:27:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taras Kondratiuk X-Patchwork-Id: 125768 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp834184ljf; Wed, 24 Jan 2018 19:39:56 -0800 (PST) X-Google-Smtp-Source: AH8x226MNAydEc3PO1dbcir8bDUvN/wdYGyuGR6LmRz6I3yN7NmGeU/zP3ib639rilxY2kpTgzav X-Received: by 10.98.224.205 with SMTP id d74mr15086459pfm.56.1516851596050; Wed, 24 Jan 2018 19:39:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516851596; cv=none; d=google.com; s=arc-20160816; b=cQ1ckrRSTPWihgJ3P6WOyLtAgfYAenqychw4QaDsxfn0EOmQo0dOJF60BzQTBKB7+q ZtuD7e4K4ZYAinTvLfPhaaKh0OG//9QZNkAHtnedPW7Q8zLC9VuVJ638oLLqW1FfDai5 vnqpuztiip5fnHhL2aMzi3oDfIhY5m7FE6lDPFAniSaOP9j0irmWF2J7pwWn5d2IAxTu VzSJVOTEEtRfNBZURpnGEUiCZza1KZ5VD5Whs2PTQdoRMRvXMO1RrbzhhwFlqTOEgIFN fAXZlhGw/TetXkRmu69i14vtYW4NGWFSyu2GCJ6biabYVBcqhi9JijYQFr3cMWHJaQ/S YhAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=bMDHejotnIJAIN+Gl2dmRyy6XAnlh4dSuvALBKEW+fc=; b=RqP1yJ4d2vzi5/V5LuGS+Im3A1e0gjhB8uYb5zn78gjy4tHotA0TbjZ9sbcv3Gu1rx eKld/zXJBat4qdFPGBQcuiLcGCvvlEn+FRxHNv+sfrJNf4FHVHOIuHIMN2tOBtkjeSiG UAwXiK9Hsathgo39qW6deOA7q1v7d8tEDsrTA9JDiENELMNDyJYwDTWjAFW+BvAhP7h8 yt5ltV6ILYsi7V08WJ4zMD6cXzrwQu0e3kQQX/c4oMfemZPEUeiaVfoTPiX0cdUvZUGn f+tb1Ac5rJR6WlckCTxkJGvrgamzAMLNkliN0fiV4EgaQLgZk28+CPtY0e3a8dxOxC+p YKwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=Go/LZac3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h66si3904844pfk.275.2018.01.24.19.39.55; Wed, 24 Jan 2018 19:39:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=Go/LZac3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933849AbeAYDjy (ORCPT + 28 others); Wed, 24 Jan 2018 22:39:54 -0500 Received: from alln-iport-8.cisco.com ([173.37.142.95]:46462 "EHLO alln-iport-8.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933414AbeAYDhb (ORCPT ); Wed, 24 Jan 2018 22:37:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1404; q=dns/txt; s=iport; t=1516851451; x=1518061051; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=GVG8yZSIqBpAYoYeLbJ4sv4eV9fL21UfOz/cszDkk3s=; b=Go/LZac3ldSxvJghPk7P5ae/hOR+V0KOx1J5IdLhT6GzgIH5YOk63ca0 WuErMK5FU91UWW3xCzIcMSGHfOXhP3Pi81CFjgKW7vBHJEuOQQ+/PAPw6 oq+vCau449kqWhgmZ7ACs+S43Sb/69ym050OWNUCZjVUP6DKcbKabA9be 8=; X-IronPort-AV: E=Sophos;i="5.46,409,1511827200"; d="scan'208";a="60787428" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Jan 2018 03:28:09 +0000 Received: from sjc-ads-7132.cisco.com (sjc-ads-7132.cisco.com [10.30.217.207]) (authenticated bits=0) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w0P3Ruj5007601 (version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NO); Thu, 25 Jan 2018 03:28:08 GMT From: Taras Kondratiuk To: "H. Peter Anvin" , Al Viro , Arnd Bergmann , Rob Landley , Mimi Zohar , Jonathan Corbet , James McMechan Cc: initramfs@vger.kernel.org, Victor Kamensky , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, xe-linux-external@cisco.com Subject: [PATCH v2 14/15] selinux: allow setxattr on rootfs so initramfs code can set them Date: Thu, 25 Jan 2018 03:27:54 +0000 Message-Id: <1516850875-25066-15-git-send-email-takondra@cisco.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1516850875-25066-1-git-send-email-takondra@cisco.com> References: <1516850875-25066-1-git-send-email-takondra@cisco.com> X-Auto-Response-Suppress: DR, OOF, AutoReply X-Authenticated-User: takondra@cisco.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Victor Kamensky initramfs code supporting extended cpio format have ability to fill extended attributes from cpio archive, but if SELinux enabled and security server is not initialized yet, selinux callback would refuse setxattr made by initramfs code. Solution enable SBLABEL_MNT on rootfs even if secrurity server is not initialized yet. Signed-off-by: Victor Kamensky --- security/selinux/hooks.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) -- 2.10.3.dirty diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8644d864e3c1..f3fe65589f02 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -706,6 +706,18 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!ss_initialized) { if (!num_opts) { + /* + * Special handling for rootfs. Is genfs but supports + * setting SELinux context on in-core inodes. + * + * Chicken and egg problem: policy may reside in rootfs + * but for initramfs code to fill in attributes, it + * needs selinux to allow that. + */ + if (!strncmp(sb->s_type->name, "rootfs", + sizeof("rootfs"))) + sbsec->flags |= SBLABEL_MNT; + /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */