lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 15 Jul 2015 14:46:06 -0500
From:	Seth Forshee <seth.forshee@...onical.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	James Morris <james.l.morris@...cle.com>,
	"Serge E. Hallyn" <serge@...lyn.com>
Cc:	Serge Hallyn <serge.hallyn@...onical.com>,
	Andy Lutomirski <luto@...capital.net>,
	Seth Forshee <seth.forshee@...onical.com>,
	linux-fsdevel@...r.kernel.org,
	linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov,
	linux-kernel@...r.kernel.org
Subject: [PATCH 5/7] security: Restrict security attribute updates for userns mounts

Respecting security labels for mounts from user namespaces may
allow unprivileged users to introduce security labels into the
system. To stop this from happening prevent calling the
inode_post_setxattr, inode_setsecurity, inode_notifysecctx, and
inode_setsecctx hooks when s_user_ns != init_user_ns. There's no
purpose in actually blocking setting of these xattrs, as (for rw
mounts at least) the user must have write access to the
underlying filesystem and could set the xattrs by other means.

Signed-off-by: Seth Forshee <seth.forshee@...onical.com>
---
 security/security.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/security/security.c b/security/security.c
index 062f3c997fdc..980710baa8f9 100644
--- a/security/security.c
+++ b/security/security.c
@@ -653,7 +653,9 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name,
 {
 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
 		return;
-	call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
+	if (dentry->d_inode->i_sb->s_user_ns == &init_user_ns)
+		call_void_hook(inode_post_setxattr, dentry, name, value, size,
+			       flags);
 	evm_inode_post_setxattr(dentry, name, value, size);
 }
 
@@ -712,6 +714,8 @@ int security_inode_getsecurity(const struct inode *inode, const char *name, void
 
 int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
 {
+	if (inode->i_sb->s_user_ns != &init_user_ns)
+		return -EOPNOTSUPP;
 	if (unlikely(IS_PRIVATE(inode)))
 		return -EOPNOTSUPP;
 	return call_int_hook(inode_setsecurity, -EOPNOTSUPP, inode, name,
@@ -1168,12 +1172,16 @@ EXPORT_SYMBOL(security_release_secctx);
 
 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
 {
+	if (inode->i_sb->s_user_ns != &init_user_ns)
+		return -EOPNOTSUPP;
 	return call_int_hook(inode_notifysecctx, 0, inode, ctx, ctxlen);
 }
 EXPORT_SYMBOL(security_inode_notifysecctx);
 
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
 {
+	if (dentry->d_inode->i_sb->s_user_ns != &init_user_ns)
+		return -EOPNOTSUPP;
 	return call_int_hook(inode_setsecctx, 0, dentry, ctx, ctxlen);
 }
 EXPORT_SYMBOL(security_inode_setsecctx);
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ