• Ondrej Mosnacek's avatar
    selinux: always allow mounting submounts · fbbfb5c6
    Ondrej Mosnacek authored
    [ Upstream commit 2cbdcb882f97a45f7475c67ac6257bbc16277dfe ]
    
    If a superblock has the MS_SUBMOUNT flag set, we should always allow
    mounting it. These mounts are done automatically by the kernel either as
    part of mounting some parent mount (e.g. debugfs always mounts tracefs
    under "tracing" for compatibility) or they are mounted automatically as
    needed on subdirectory accesses (e.g. NFS crossmnt mounts). Since such
    automounts are either an implicit consequence of the parent mount (which
    is already checked) or they can happen during regular accesses (where it
    doesn't make sense to check against the current task's context), the
    mount permission check should be skipped for them.
    
    Without this patch, attempts to access contents of an automounted
    directory can cause unexpected SELinux denials.
    
    In the current kernel tree, the MS_SUBMOUNT flag is set only via
    vfs_submount(), which is called only from the following places:
     - AFS, when automounting special "symlinks" referencing other cells
     - CIFS, when automounting "referrals"
     - NFS, when automounting subtrees
     - debugfs, when automounting tracefs
    
    In all cases the submounts are meant to be transparent to the user and
    it makes sense that if mounting the master is allowed, then so should be
    the automounts. Note that CAP_SYS_ADMIN capability checking is already
    skipped for (SB_KERNMOUNT|SB_SUBMOUNT) in:
     - sget_userns() in fs/super.c:
    	if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) &&
    	    !(type->fs_flags & FS_USERNS_MOUNT) &&
    	    !capable(CAP_SYS_ADMIN))
    		return ERR_PTR(-EPERM);
     - sget() in fs/super.c:
            /* Ensure the requestor has permissions over the target filesystem */
            if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN))
                    return ERR_PTR(-EPERM);
    
    Verified internally on patched RHEL 7.6 with a reproducer using
    NFS+httpd and selinux-tesuite.
    
    Fixes: 93faccbb ("fs: Better permission checking for submounts")
    Signed-off-by: 's avatarOndrej Mosnacek <omosnace@redhat.com>
    Signed-off-by: 's avatarPaul Moore <paul@paul-moore.com>
    Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
    fbbfb5c6
Name
Last commit
Last update
..
apparmor Loading commit data...
integrity Loading commit data...
keys Loading commit data...
loadpin Loading commit data...
selinux Loading commit data...
smack Loading commit data...
tomoyo Loading commit data...
yama Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
commoncap.c Loading commit data...
device_cgroup.c Loading commit data...
inode.c Loading commit data...
lsm_audit.c Loading commit data...
min_addr.c Loading commit data...
security.c Loading commit data...