From patchwork Fri Feb 16 20:33:52 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Taras Kondratiuk <takondra@cisco.com>
X-Patchwork-Id: 128637
Delivered-To: patch@linaro.org
Received: by 10.46.124.24 with SMTP id x24csp956099ljc;
 Fri, 16 Feb 2018 12:36:13 -0800 (PST)
X-Google-Smtp-Source: AH8x227amoq7IA9D4M2pSL18uyQioI0MudSdTHwYGIHiWOsvusBpQ/cEJRC5q93LRvcNtPWriIhf
X-Received: by 10.101.70.203 with SMTP id n11mr5874293pgr.377.1518813373533; 
 Fri, 16 Feb 2018 12:36:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518813373; cv=none;
 d=google.com; s=arc-20160816;
 b=msiiXeFir62Mvdwz5FRjIt3e02knN3SbP2xbBqKONHwIBypdGVuJt5HiBmzn2ZUrM4
 zjRqPE1twYdeWBqgV7S2O5BfvMSjrpsD+t2e/fLlgdwZo+NnSGHG2rFYzNlU39H/0SlQ
 euFgBUSrkF7O2npuV0W0C4rWZTyhPOJ4nN1h6xJTg0LPl7UwcwpQ0meEsK/heZgwsMzv
 NyavOH0mEQxJbFluZN7aav7gRmzPwI+cQR8BIi3XBmTNqbDwxCDNRaCZJkmL6l82pzvg
 gsnbuCApYm5Sly1/3RgHOInidB6WtVY3uA2rnJHpH6djyTF0BRV4v6U15I/oOKiVm0Pw
 s/UA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature:arc-authentication-results;
 bh=bMDHejotnIJAIN+Gl2dmRyy6XAnlh4dSuvALBKEW+fc=;
 b=twUK1etF+Hj8xb7Gxll3l87aVSFWNTBy7529QagXDaPB3tKrusZNP5mtYZIzxhtqp6
 XH22kjGjlTe96ILpfY0HZfXjTqpfbAh6GN2zxzDV4288Ub2baKmjHbE6Tcovtigu5A/w
 aiJKVAccysezhedoGM+PB9JOf5uCtFxEfnf3gglhtPZIT7v7droOPxDTco6mqzT9jsb/
 cwhdrRn8hP6C+V/bU/7M9CRJKiwT8+BC2dIFeWuOYIyHo6y8WnP+78uIB9nPjCBK/fwp
 6SzqO5eB4Qmmu3oGi5Bl07Pb3/TFieH0+ClSinNIBUmjEk84a4RLyX7pcCEIq0ANeCHt
 cSiQ==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@cisco.com header.s=iport header.b=iGG+2L+e;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 c41-v6si1999328plj.682.2018.02.16.12.36.13; 
 Fri, 16 Feb 2018 12:36:13 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@cisco.com header.s=iport header.b=iGG+2L+e;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1751190AbeBPUgK (ORCPT <rfc822; dan.rue@linaro.org> + 28 others); 
 Fri, 16 Feb 2018 15:36:10 -0500
Received: from alln-iport-6.cisco.com ([173.37.142.93]:35249 "EHLO
 alln-iport-6.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1751078AbeBPUeJ (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Fri, 16 Feb 2018 15:34:09 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=cisco.com; i=@cisco.com; l=1404; q=dns/txt; s=iport;
 t=1518813249; x=1520022849;
 h=from:to:cc:subject:date:message-id:in-reply-to: references;
 bh=GVG8yZSIqBpAYoYeLbJ4sv4eV9fL21UfOz/cszDkk3s=;
 b=iGG+2L+e0Zb04v5nVWdGBjxAAMc/qwq/7Rdwldv5H43WS8Q7MEmmdznQ
 MECm7Jy8iLikh+JJp2Qgm/mRFfr42SGN1j9ZZYlPXmS0aTKco7GeWKtKs
 R1SBsMamqKd3VSyFE9PdkeR0dUByf4uUCbSw/JwOZycFOYcvO55lMBNWr s=;
X-IronPort-AV: E=Sophos;i="5.46,520,1511827200"; d="scan'208";a="71375533"
Received: from rcdn-core-6.cisco.com ([173.37.93.157])
 by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 16 Feb 2018 20:34:08 +0000
Received: from sjc-ads-7132.cisco.com (sjc-ads-7132.cisco.com
 [10.30.217.207]) (authenticated bits=0)
 by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w1GKXsMf015412
 (version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NO);
 Fri, 16 Feb 2018 20:34:08 GMT
From: Taras Kondratiuk <takondra@cisco.com>
To: "H. Peter Anvin" <hpa@zytor.com>, Al Viro <viro@zeniv.linux.org.uk>,
 Arnd Bergmann <arnd@arndb.de>, Rob Landley <rob@landley.net>,
 Mimi Zohar <zohar@linux.vnet.ibm.com>, Jonathan Corbet <corbet@lwn.net>,
 James McMechan <james.w.mcmechan@gmail.com>
Cc: initramfs@vger.kernel.org, Victor Kamensky <kamensky@cisco.com>,
 linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
 linux-security-module@vger.kernel.org, xe-linux-external@cisco.com
Subject: [PATCH v3 14/15] selinux: allow setxattr on rootfs so initramfs
 code can set them
Date: Fri, 16 Feb 2018 20:33:52 +0000
Message-Id: <1518813234-5874-17-git-send-email-takondra@cisco.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1518813234-5874-1-git-send-email-takondra@cisco.com>
References: <1518813234-5874-1-git-send-email-takondra@cisco.com>
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-Authenticated-User: takondra@cisco.com
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Victor Kamensky <kamensky@cisco.com>

initramfs code supporting extended cpio format have ability to
fill extended attributes from cpio archive, but if SELinux enabled
and security server is not initialized yet, selinux callback would
refuse setxattr made by initramfs code.

Solution enable SBLABEL_MNT on rootfs even if secrurity server is
not initialized yet.

Signed-off-by: Victor Kamensky <kamensky@cisco.com>
---
 security/selinux/hooks.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

-- 
2.10.3.dirty
Signed-off-by: Victor Kamensky <kamensky@cisco.com>
Signed-off-by: Victor Kamensky <kamensky@cisco.com>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8644d864e3c1..f3fe65589f02 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -706,6 +706,18 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 
 	if (!ss_initialized) {
 		if (!num_opts) {
+			/*
+			 * Special handling for rootfs. Is genfs but supports
+			 * setting SELinux context on in-core inodes.
+			 *
+			 * Chicken and egg problem: policy may reside in rootfs
+			 * but for initramfs code to fill in attributes, it
+			 * needs selinux to allow that.
+			 */
+			if (!strncmp(sb->s_type->name, "rootfs",
+				     sizeof("rootfs")))
+				sbsec->flags |= SBLABEL_MNT;
+
 			/* Defer initialization until selinux_complete_init,
 			   after the initial policy is loaded and the security
 			   server is ready to handle calls. */