From patchwork Fri Feb 16 20:33:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taras Kondratiuk X-Patchwork-Id: 128634 Delivered-To: patch@linaro.org Received: by 10.46.124.24 with SMTP id x24csp954611ljc; Fri, 16 Feb 2018 12:34:22 -0800 (PST) X-Google-Smtp-Source: AH8x225+YJxCGsSXScog6xpKaDg1lI38feSZ2g2fHb0CZ8bGg7AIiGn8PkHWpfEW5OkVN6N0D9Xw X-Received: by 10.99.61.75 with SMTP id k72mr5909104pga.384.1518813262148; Fri, 16 Feb 2018 12:34:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518813262; cv=none; d=google.com; s=arc-20160816; b=ftqEHK5SQxXaOScWh+J3PlkzNhcpEdTbk0G5QXKcRlzxBUzQNuXmnH0Blaoswo3jas 6LxgsRF8AePxepPsHawLOcxlr1HS+K/SHfI+NSG1aW1/HP332+vW6psH1IKi/zD1YNvO 7LZIn5AU6Ga0vU2LYhFIUhAj1CcNHE/U2YCM/AUN7v+OXNfV/8lgzo161+FsSZykDIB/ uDDiDmmdxIfoX1J/ppxOIkxfeKLPiQYX5z40rMdkl1TCPBUJHwmCs5OFD8F/YAGQepGv Of0lFDynC37XJ074SiyeiOBf1SZn/29U2ZurYVk5jggzlDOsDVf8ZGfkImPhN/KOELX5 /28Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=bMDHejotnIJAIN+Gl2dmRyy6XAnlh4dSuvALBKEW+fc=; b=HNZz/c5jtvGrLBR3qPDI10HdMdtfskdSyF75afEdV/hFa7vmQQLkepEGMN9qUJLeuT tWDK1GVAqjpVzURM24EykD3MVL7EjgrQO44huQvVHdb9SOSH99iYm1yG6rIsNz7T/SMI Ts28e/3aUQwewBYP9rfpWGLJdgTzWuwlKti3aygPFmGRWVzS6f9i2eWLhnN/8JTjkmNT k4j0aOFoBj0DrpAzkjTx+XCWblrbw0kfjD5jOD1rjnj+MmiA4yXEqBBZzWjiSeDvtB+t 6B3MnY8N5IXQGKBeEp9d6Wpt6v3nYidYth24fWWppEKER+W4iJGcWvCLhT/sLQwL7Osm BNaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=CsdtmUii; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q15si1641693pgc.727.2018.02.16.12.34.21; Fri, 16 Feb 2018 12:34:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=CsdtmUii; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751178AbeBPUeR (ORCPT + 28 others); Fri, 16 Feb 2018 15:34:17 -0500 Received: from alln-iport-8.cisco.com ([173.37.142.95]:45361 "EHLO alln-iport-8.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751010AbeBPUeI (ORCPT ); Fri, 16 Feb 2018 15:34:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1404; q=dns/txt; s=iport; t=1518813248; x=1520022848; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=GVG8yZSIqBpAYoYeLbJ4sv4eV9fL21UfOz/cszDkk3s=; b=CsdtmUiirgjFlvragdFDEOwebxyjKKCLwg5WWLYPNlgWoLjWxNLUGB+g XyHN6zbSwCegbYj7pLRqU/pW9mcLU6PUS278EwN3JtLkNPf8ds+45Sazu j6EbJPFnaaHEu9RwIFPzjt07aJOsYsKLUa1rLkw7y986uK+Ax1jBFsHdb w=; X-IronPort-AV: E=Sophos;i="5.46,520,1511827200"; d="scan'208";a="71384351" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Feb 2018 20:34:07 +0000 Received: from sjc-ads-7132.cisco.com (sjc-ads-7132.cisco.com [10.30.217.207]) (authenticated bits=0) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w1GKXsMe015412 (version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NO); Fri, 16 Feb 2018 20:34:07 GMT From: Taras Kondratiuk To: "H. Peter Anvin" , Al Viro , Arnd Bergmann , Rob Landley , Mimi Zohar , Jonathan Corbet , James McMechan Cc: initramfs@vger.kernel.org, Victor Kamensky , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, xe-linux-external@cisco.com Subject: [PATCH v3 13/14] selinux: allow setxattr on rootfs so initramfs code can set them Date: Fri, 16 Feb 2018 20:33:51 +0000 Message-Id: <1518813234-5874-16-git-send-email-takondra@cisco.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1518813234-5874-1-git-send-email-takondra@cisco.com> References: <1518813234-5874-1-git-send-email-takondra@cisco.com> X-Auto-Response-Suppress: DR, OOF, AutoReply X-Authenticated-User: takondra@cisco.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Victor Kamensky initramfs code supporting extended cpio format have ability to fill extended attributes from cpio archive, but if SELinux enabled and security server is not initialized yet, selinux callback would refuse setxattr made by initramfs code. Solution enable SBLABEL_MNT on rootfs even if secrurity server is not initialized yet. Signed-off-by: Victor Kamensky --- security/selinux/hooks.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) -- 2.10.3.dirty diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8644d864e3c1..f3fe65589f02 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -706,6 +706,18 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!ss_initialized) { if (!num_opts) { + /* + * Special handling for rootfs. Is genfs but supports + * setting SELinux context on in-core inodes. + * + * Chicken and egg problem: policy may reside in rootfs + * but for initramfs code to fill in attributes, it + * needs selinux to allow that. + */ + if (!strncmp(sb->s_type->name, "rootfs", + sizeof("rootfs"))) + sbsec->flags |= SBLABEL_MNT; + /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ From patchwork Fri Feb 16 20:33:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taras Kondratiuk X-Patchwork-Id: 128636 Delivered-To: patch@linaro.org Received: by 10.46.124.24 with SMTP id x24csp955727ljc; Fri, 16 Feb 2018 12:35:45 -0800 (PST) X-Google-Smtp-Source: AH8x225lU9empnPsW0DUQtzimHp72H8T3tRW58cQzWT2lJz48nV9feREAyeRf6yZXhnJ6+R5/Jff X-Received: by 10.99.110.199 with SMTP id j190mr5557186pgc.404.1518813345037; Fri, 16 Feb 2018 12:35:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518813345; cv=none; d=google.com; s=arc-20160816; b=tdzaTV0MtbgAVtZ4na30ytOePqkA68l/dB9/5DJib+EnArknM5i2ogmnwyKXBwdmJ5 adxTeuwmTyHAelaPdNCrD9jjr9hVInhEndN2Tcwkd8eaI4A/fs2YdegDmWceyaBDw0H+ 0/36G3psCUpuijYujRzcWRnarviVYxDuY1DBgQogoEaM73hW4c+LItbEWEG7KZLzenle sAFZar+UGd0r12oPhpMtT4ZTU4o7rkQRy3dRLDII/un31ZkdL1vvM61ItiN2sI5ur2IV Eap9Hn62IwKS7+xo3eKoA/Yg0zpu6dNsXPFaM/aYXv+w4OXTbmcQvVxJZZ7LEHz3K8Eo Ujxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=SHULkiKs1SdlOrYXBNOUNyCiEY09xiCEmePUGn79qF8=; b=HyBGU/7/ifvFWMaGNx4p3T2q1SGWBz9nbdFCx32SSi4e+IRYdKgVTbAg+mJjNHc3Md dMxwvNpcywfrVdeuCWMjXp294qBZzaVRbul54A2+lu3uU1Q8Uere5RWs58akf7g0d306 0JZ69F1SyOpa5dlID8iqVgZoTKPfDXcQoE8NHJm1/RaoZ60lcsimgOxiAgvqXHFHwMzi at696e860DBnw85KTNZ8gDmin8zavUR90I6cAe99owBoumWbj9BdZvGyNyHKVdCDLUxF muwNsXrKEkkIjUQaBGgq/PNsLeyL0EE6loi5wMt4BYHADH1yeQbiR1PUN5nNsRXyCsha q02w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=cOLZsB9N; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x3-v6si79308plo.2.2018.02.16.12.35.44; Fri, 16 Feb 2018 12:35:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=cOLZsB9N; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751234AbeBPUfm (ORCPT + 28 others); Fri, 16 Feb 2018 15:35:42 -0500 Received: from alln-iport-6.cisco.com ([173.37.142.93]:35249 "EHLO alln-iport-6.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751091AbeBPUeL (ORCPT ); Fri, 16 Feb 2018 15:34:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2865; q=dns/txt; s=iport; t=1518813251; x=1520022851; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=h+x182m25pAUhcejAUrzU53jlgUVrI0n67CYLEcHg4c=; b=cOLZsB9Nzw8q1/StuKYf0pbeaeCA2urCwUkBI0bmQwiqz/hi1LCQuP// 1S8uT9eWWL7JxhxiFsW1vABwSEOU7gefPIGE9KZzNROAxNTHY0pxBlQ16 jgxD0Ib718nbLqSjENqeNyQ7odDOfXJEl7q7ZMUdCKHpJXGbr8NxwBOGy k=; X-IronPort-AV: E=Sophos;i="5.46,520,1511827200"; d="scan'208";a="71375540" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Feb 2018 20:34:09 +0000 Received: from sjc-ads-7132.cisco.com (sjc-ads-7132.cisco.com [10.30.217.207]) (authenticated bits=0) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w1GKXsMg015412 (version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NO); Fri, 16 Feb 2018 20:34:08 GMT From: Taras Kondratiuk To: "H. Peter Anvin" , Al Viro , Arnd Bergmann , Rob Landley , Mimi Zohar , Jonathan Corbet , James McMechan Cc: initramfs@vger.kernel.org, Victor Kamensky , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, xe-linux-external@cisco.com Subject: [PATCH v3 14/14] selinux: delay sid population for rootfs till init is complete Date: Fri, 16 Feb 2018 20:33:53 +0000 Message-Id: <1518813234-5874-18-git-send-email-takondra@cisco.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1518813234-5874-1-git-send-email-takondra@cisco.com> References: <1518813234-5874-1-git-send-email-takondra@cisco.com> X-Auto-Response-Suppress: DR, OOF, AutoReply X-Authenticated-User: takondra@cisco.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Victor Kamensky With initramfs cpio format that supports extended attributes we need to skip sid population on sys_lsetxattr call from initramfs for rootfs if security server is not initialized yet. Otherwise callback in selinux_inode_post_setxattr will try to translate give security.selinux label into sid context and since security server is not available yet inode will receive default sid (typically kernel_t). Note that in the same time proper label will be stored in inode xattrs. Later, since inode sid would be already populated system will never look back at actual xattrs. But if we skip sid population for rootfs and we have policy that direct use of xattrs for rootfs, proper sid will be filled in from extended attributes one node is accessed and server is initialized. Note new DELAYAFTERINIT_MNT super block flag is introduced to only mark rootfs for such behavior. For other types of tmpfs original logic is still used. Signed-off-by: Victor Kamensky --- security/selinux/hooks.c | 9 ++++++++- security/selinux/include/security.h | 1 + 2 files changed, 9 insertions(+), 1 deletion(-) -- 2.10.3.dirty diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f3fe65589f02..bb25268f734e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -716,7 +716,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, */ if (!strncmp(sb->s_type->name, "rootfs", sizeof("rootfs"))) - sbsec->flags |= SBLABEL_MNT; + sbsec->flags |= SBLABEL_MNT|DELAYAFTERINIT_MNT; /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security @@ -3253,6 +3253,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, { struct inode *inode = d_backing_inode(dentry); struct inode_security_struct *isec; + struct superblock_security_struct *sbsec; u32 newsid; int rc; @@ -3261,6 +3262,12 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, return; } + if (!ss_initialized) { + sbsec = inode->i_sb->s_security; + if (sbsec->flags & DELAYAFTERINIT_MNT) + return; + } + rc = security_context_to_sid_force(value, size, &newsid); if (rc) { printk(KERN_ERR "SELinux: unable to map context to SID" diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 02f0412d42f2..585acfd6cbcf 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -52,6 +52,7 @@ #define ROOTCONTEXT_MNT 0x04 #define DEFCONTEXT_MNT 0x08 #define SBLABEL_MNT 0x10 +#define DELAYAFTERINIT_MNT 0x20 /* Non-mount related flags */ #define SE_SBINITIALIZED 0x0100 #define SE_SBPROC 0x0200 From patchwork Fri Feb 16 20:33:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taras Kondratiuk X-Patchwork-Id: 128635 Delivered-To: patch@linaro.org Received: by 10.46.124.24 with SMTP id x24csp955547ljc; Fri, 16 Feb 2018 12:35:32 -0800 (PST) X-Google-Smtp-Source: AH8x226yTzU1xuLqlZzg5nEx4rxHecxddkcLed4sObqf0/JcCVEW/jFIevRLGX5ezkKPF44UyZsu X-Received: by 10.101.76.204 with SMTP id n12mr6070014pgt.15.1518813332437; Fri, 16 Feb 2018 12:35:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518813332; cv=none; d=google.com; s=arc-20160816; b=H7byhV7z/akgHbstj6SdWP9QUALFxWYklEdH3CueJ6PuaSQVI5+lbZmwzylju8stb/ mnKbhVWgPbfCpGzMj4qtuJ1egzu2nbeX3YLNsRiz4JM7w24wF9iDxuKKX3oQYGBUfz0g YY246WFTi6GkmrAd6lKDLve++D4+IZjkpC7kUqJSkKGDQbj4K5gq9qRm9l2XaTGP6fpI 6kfTQBVa2qH8UiOA5HigOUsBbH1QhdO/kAvOuWKS0izINoudGOzPWc5fiKfwCbSLhdTm paNo9oOQzx1/b1P1/xKA4batXSWFjWVIH4ipCJt6900p0wwYZm3ZLNNvYbvI0Gkx0f1d zRsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=SHULkiKs1SdlOrYXBNOUNyCiEY09xiCEmePUGn79qF8=; b=zB8BSbrQ4/24gHti4sx2ClcvVqjFzQCMTIGMUlBb1an/ptPxUQlpvZXWEwDaxtePHF ZQrZ9YXmya8hSd4C9dO12YqyJvu4//G66SxH39iEOBgS6CsIqgOdmV1zSiBoFfzjOSd9 H0EbmKd8Jmtjo7QSV/qPA6hA5jBEuxJAVrVWEtJjRsUHj/U1yeraoyRwUZTbO8BQ/s7f NZCRiT3nNefotEhtx2RA+zTckExt1AoTINViVy/5HjY2eC+tP9/NYwUHUGJIdeBi1ErT MEufzi/Rxibrs/ETXQeQoJYCO9vV4Qf1f9k7BvbxdH5uOQWEDfbNYEWVd3Rf59oitB/y imqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=MIHbBMXJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f76si326327pfe.323.2018.02.16.12.35.32; Fri, 16 Feb 2018 12:35:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=MIHbBMXJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751228AbeBPUf0 (ORCPT + 28 others); Fri, 16 Feb 2018 15:35:26 -0500 Received: from alln-iport-4.cisco.com ([173.37.142.91]:4040 "EHLO alln-iport-4.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751092AbeBPUeL (ORCPT ); Fri, 16 Feb 2018 15:34:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2865; q=dns/txt; s=iport; t=1518813251; x=1520022851; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=h+x182m25pAUhcejAUrzU53jlgUVrI0n67CYLEcHg4c=; b=MIHbBMXJwxMTVSusu7cqNfVjfHcll5rf1rUOSEsq+Gy3no8vQIEJYWZT tMfmLMV0TUOH9RBZ2lZTpDPywJCOAgERrYmYOPyC/9U6ZMjZ7xIDJ33ck 6dbXgTnHu0DiWtN5sNtCFByioL7LQMZX6URyEXHHWRavTDbd/YpuJkFFM c=; X-IronPort-AV: E=Sophos;i="5.46,520,1511827200"; d="scan'208";a="71929476" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Feb 2018 20:34:10 +0000 Received: from sjc-ads-7132.cisco.com (sjc-ads-7132.cisco.com [10.30.217.207]) (authenticated bits=0) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w1GKXsMh015412 (version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NO); Fri, 16 Feb 2018 20:34:09 GMT From: Taras Kondratiuk To: "H. Peter Anvin" , Al Viro , Arnd Bergmann , Rob Landley , Mimi Zohar , Jonathan Corbet , James McMechan Cc: initramfs@vger.kernel.org, Victor Kamensky , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, xe-linux-external@cisco.com Subject: [PATCH v3 15/15] selinux: delay sid population for rootfs till init is complete Date: Fri, 16 Feb 2018 20:33:54 +0000 Message-Id: <1518813234-5874-19-git-send-email-takondra@cisco.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1518813234-5874-1-git-send-email-takondra@cisco.com> References: <1518813234-5874-1-git-send-email-takondra@cisco.com> X-Auto-Response-Suppress: DR, OOF, AutoReply X-Authenticated-User: takondra@cisco.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Victor Kamensky With initramfs cpio format that supports extended attributes we need to skip sid population on sys_lsetxattr call from initramfs for rootfs if security server is not initialized yet. Otherwise callback in selinux_inode_post_setxattr will try to translate give security.selinux label into sid context and since security server is not available yet inode will receive default sid (typically kernel_t). Note that in the same time proper label will be stored in inode xattrs. Later, since inode sid would be already populated system will never look back at actual xattrs. But if we skip sid population for rootfs and we have policy that direct use of xattrs for rootfs, proper sid will be filled in from extended attributes one node is accessed and server is initialized. Note new DELAYAFTERINIT_MNT super block flag is introduced to only mark rootfs for such behavior. For other types of tmpfs original logic is still used. Signed-off-by: Victor Kamensky --- security/selinux/hooks.c | 9 ++++++++- security/selinux/include/security.h | 1 + 2 files changed, 9 insertions(+), 1 deletion(-) -- 2.10.3.dirty Signed-off-by: Victor Kamensky diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f3fe65589f02..bb25268f734e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -716,7 +716,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, */ if (!strncmp(sb->s_type->name, "rootfs", sizeof("rootfs"))) - sbsec->flags |= SBLABEL_MNT; + sbsec->flags |= SBLABEL_MNT|DELAYAFTERINIT_MNT; /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security @@ -3253,6 +3253,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, { struct inode *inode = d_backing_inode(dentry); struct inode_security_struct *isec; + struct superblock_security_struct *sbsec; u32 newsid; int rc; @@ -3261,6 +3262,12 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, return; } + if (!ss_initialized) { + sbsec = inode->i_sb->s_security; + if (sbsec->flags & DELAYAFTERINIT_MNT) + return; + } + rc = security_context_to_sid_force(value, size, &newsid); if (rc) { printk(KERN_ERR "SELinux: unable to map context to SID" diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 02f0412d42f2..585acfd6cbcf 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -52,6 +52,7 @@ #define ROOTCONTEXT_MNT 0x04 #define DEFCONTEXT_MNT 0x08 #define SBLABEL_MNT 0x10 +#define DELAYAFTERINIT_MNT 0x20 /* Non-mount related flags */ #define SE_SBINITIALIZED 0x0100 #define SE_SBPROC 0x0200