From patchwork Wed Mar 29 15:27:23 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tomeu Vizoso <tomeu.vizoso@collabora.com>
X-Patchwork-Id: 96209
Delivered-To: patch@linaro.org
Received: by 10.140.89.233 with SMTP id v96csp2253084qgd;
 Wed, 29 Mar 2017 08:29:36 -0700 (PDT)
X-Received: by 10.84.192.129 with SMTP id c1mr1222297pld.181.1490801376760; 
 Wed, 29 Mar 2017 08:29:36 -0700 (PDT)
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 a19si7710898pgn.175.2017.03.29.08.29.36; 
 Wed, 29 Mar 2017 08:29:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1753060AbdC2P17 (ORCPT <rfc822;julien.grall@linaro.org>
 + 20 others); Wed, 29 Mar 2017 11:27:59 -0400
Received: from mail-wr0-f193.google.com ([209.85.128.193]:35350 "EHLO
 mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1752170AbdC2P14 (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Wed, 29 Mar 2017 11:27:56 -0400
Received: by mail-wr0-f193.google.com with SMTP id p52so3979761wrc.2;
 Wed, 29 Mar 2017 08:27:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:from:to:cc:subject:date:message-id;
 bh=3L8+YQsxQAGVOK5dHu2381cPuVwQjDtmD9aq8vlcvsM=;
 b=H4uzHfmcm9Uynh+rq3Mq5WkNNbYIPvfvSD6KTaSW1NrqQ8c8/oJMk3v6PpECTv0a4/
 3S1BqQY9J/SilSdlmc2hQV5DS6YC3LVXRbN5zjpG6Uy9D3aJ0Gx17bjUNcze8XsIZd69
 BTsgGYIr2cY6ZSNDgsxdkpJGsxBG7xJUnTqU8PXDbCR1u2bvRFrLvgPeG9ISjvcLg1Sz
 neozhsABGJCnEQOgfZdv7157eWpfpzxlYXKudMyWrA2KhNLtaHSTBJvKYsNTJWK7hEhl
 D6KP45ZEXxsbyZoWEAwc71n99r8GGcGoCZ7JXY2gPJjTT8l/Y2+wIaIcCqXPhoMy+p5p
 K9mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
 bh=3L8+YQsxQAGVOK5dHu2381cPuVwQjDtmD9aq8vlcvsM=;
 b=XcNhCCR1sit2TNFpN/J2nIcnxNk7HKegKAvo3fHD+137jtjXwfN6s1Pk9BF/MB9DXW
 vRCQOETqnjEo1VZNMDHoctDbAUKh4rjeVhPHxYUH0sT80bSsqU/bIsV3GvnnG+QIHQqD
 DJcftg8yOBwNcUL1miTEuINxJJv7EkTpxAN6RWAcB+twkxVrdJAJwszbEitu5mlHkQmS
 SNhRkNbRo56KtwrPBrAeLeQ9BfnCEQ3bqVuh9e8gahjJpRWIOEh9WF1196NTuIuF73dl
 jAXcUl7SX2ccdDYQDFOozz8QIToaksULc8AMvrw9p76VjRq0lFDGm4a5RSCNcSWOdCCa
 1zJg==
X-Gm-Message-State: AFeK/H0TXyweyaBL7ZTx07iqYMFB+/MkP5tFyLbwFxXQj3DRNTWcYJff3TsIl6BGE+HnpA==
X-Received: by 10.223.177.219 with SMTP id r27mr1086653wra.194.1490801274628; 
 Wed, 29 Mar 2017 08:27:54 -0700 (PDT)
Received: from cizrna.lan ([109.72.12.19]) by smtp.gmail.com with ESMTPSA id
 w12sm9824477wra.21.2017.03.29.08.27.53
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 29 Mar 2017 08:27:53 -0700 (PDT)
From: Tomeu Vizoso <tomeu.vizoso@collabora.com>
To: linux-kernel@vger.kernel.org
Cc: Tomeu Vizoso <tomeu.vizoso@collabora.com>,
 "J . Bruce Fields" <bfields@redhat.com>,
 Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
 Eric Paris <eparis@parisplace.org>,
 James Morris <james.l.morris@oracle.com>,
 "Serge E. Hallyn" <serge@hallyn.com>, selinux@tycho.nsa.gov,
 linux-security-module@vger.kernel.org
Subject: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts
Date: Wed, 29 Mar 2017 17:27:23 +0200
Message-Id: <20170329152724.19030-1-tomeu.vizoso@collabora.com>
X-Mailer: git-send-email 2.9.3
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Labelling of files in a NFSv4.2 currently fails with ENOTSUPP because
the mount point doesn't have SBLABEL_MNT.

Add specific condition for NFS4 filesystems so it gets correctly
labeled.

Signed-off-by: Tomeu Vizoso <tomeu.vizoso@collabora.com>
Cc: J. Bruce Fields <bfields@redhat.com>

---

Hi,

cannot remotely say that I currently understand how selinux is expected
to work within NFS mounts, but this change allowed me to fully boot AOSP
with its rootfs and ramdisk on a single NFS share.

Thanks,

Tomeu
---
 security/selinux/hooks.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.9.3

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0c2ac318aa7f..71cd1d8c67c2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -485,6 +485,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
 		!strcmp(sb->s_type->name, "debugfs") ||
 		!strcmp(sb->s_type->name, "tracefs") ||
 		!strcmp(sb->s_type->name, "rootfs") ||
+		!strcmp(sb->s_type->name, "nfs4") ||
 		(selinux_policycap_cgroupseclabel &&
 		 (!strcmp(sb->s_type->name, "cgroup") ||
 		  !strcmp(sb->s_type->name, "cgroup2")));