• Seth Forshee's avatar
    Smack: Add support for unprivileged mounts from user namespaces · 460e9697
    Seth Forshee authored
    Security labels from unprivileged mounts cannot be trusted.
    Ideally for these mounts we would assign the objects in the
    filesystem the same label as the inode for the backing device
    passed to mount. Unfortunately it's currently impossible to
    determine which inode this is from the LSM mount hooks, so we
    settle for the label of the process doing the mount.
    
    This label is assigned to s_root, and also to smk_default to
    ensure that new inodes receive this label. The transmute property
    is also set on s_root to make this behavior more explicit, even
    though it is technically not necessary.
    
    If a filesystem has existing security labels, access to inodes is
    permitted if the label is the same as smk_root, otherwise access
    is denied. The SMACK64EXEC xattr is completely ignored.
    
    Explicit setting of security labels continues to require
    CAP_MAC_ADMIN in init_user_ns.
    
    Altogether, this ensures that filesystem objects are not
    accessible to subjects which cannot already access the backing
    store, that MAC is not violated for any objects in the fileystem
    which are already labeled, and that a user cannot use an
    unprivileged mount to gain elevated MAC privileges.
    
    sysfs, tmpfs, and ramfs are already mountable from user
    namespaces and support security labels. We can't rule out the
    possibility that these filesystems may already be used in mounts
    from user namespaces with security lables set from the init
    namespace, so failing to trust lables in these filesystems may
    introduce regressions. It is safe to trust labels from these
    filesystems, since the unprivileged user does not control the
    backing store and thus cannot supply security labels, so an
    explicit exception is made to trust labels from these
    filesystems.
    Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
    Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
    460e9697
smack.h 12.9 KB