From 0a981fd3ddae0a8491d78cda1956c156a879f7c6 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 20 Jan 2017 14:33:33 -0600 Subject: [PATCH] Linux v4.10-rc4-199-ge90665a --- gitrev | 2 +- kernel.spec | 8 ++- ...ux-allow-context-mounts-on-tmpfs-etc.patch | 57 +++++++++++++++++++ sources | 2 +- 4 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 selinux-allow-context-mounts-on-tmpfs-etc.patch diff --git a/gitrev b/gitrev index 52e6b4ebb..f2a25dfda 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -81aaeaac461071c591cbd188748ad875e0efae7e +e90665a5d38b17fdbe484a85fbba917a7006522d diff --git a/kernel.spec b/kernel.spec index 6b76b6097..8e2bb294a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 4 # The git snapshot level -%define gitrev 3 +%define gitrev 4 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -587,6 +587,9 @@ Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch # Fix build issue with armada_trace Patch851: Armada-trace-build-fix.patch +# selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces +Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch + # END OF PATCH DEFINITIONS %endif @@ -2157,6 +2160,9 @@ fi # # %changelog +* Fri Jan 20 2017 Justin M. Forbes - 4.10.0-0.rc4.git4.1 +- Linux v4.10-rc4-199-ge90665a + * Fri Jan 20 2017 Peter Robinson - Initial DT support for Hummingboard 2 (Edge/Gate) diff --git a/selinux-allow-context-mounts-on-tmpfs-etc.patch b/selinux-allow-context-mounts-on-tmpfs-etc.patch new file mode 100644 index 000000000..cbb5b8cdf --- /dev/null +++ b/selinux-allow-context-mounts-on-tmpfs-etc.patch @@ -0,0 +1,57 @@ +From 01593d3299a1cfdb5e08acf95f63ec59dd674906 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Mon, 9 Jan 2017 10:07:31 -0500 +Subject: [PATCH] selinux: allow context mounts on tmpfs, ramfs, devpts within + user namespaces + +commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for +unprivileged mounts from user namespaces") prohibited any use of context +mount options within non-init user namespaces. However, this breaks +use of context mount options for tmpfs mounts within user namespaces, +which are being used by Docker/runc. There is no reason to block such +usage for tmpfs, ramfs or devpts. Exempt these filesystem types +from this restriction. + +Before: +sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash +sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp +mount: tmpfs is write-protected, mounting read-only +mount: cannot mount tmpfs read-only + +After: +sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash +sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp +sh# ls -Zd /tmp +unconfined_u:object_r:user_tmp_t:s0:c13 /tmp + +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +--- + security/selinux/hooks.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index e4b953f..e32f4b5 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, + } + + /* +- * If this is a user namespace mount, no contexts are allowed +- * on the command line and security labels must be ignored. ++ * If this is a user namespace mount and the filesystem type is not ++ * explicitly whitelisted, then no contexts are allowed on the command ++ * line and security labels must be ignored. + */ +- if (sb->s_user_ns != &init_user_ns) { ++ if (sb->s_user_ns != &init_user_ns && ++ strcmp(sb->s_type->name, "tmpfs") && ++ strcmp(sb->s_type->name, "ramfs") && ++ strcmp(sb->s_type->name, "devpts")) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; +-- +2.9.3 + diff --git a/sources b/sources index 84f18db54..3b44b8531 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99 SHA512 (patch-4.10-rc4.xz) = 89d903d52ff907f3911ac09214d1299c310fd67b7ff36170c6233e6348049fb0f669ba245a8ca310f52c91eb523aa5f91a9b52f4c67ca932b951fe2c60f25ae5 -SHA512 (patch-4.10-rc4-git3.xz) = f828c62b03e2814b2cf6aadab27a1d262917871cb2d4d696360dd0dee0765aaec0bf1621de6d67d133613b455be1c6251437d59920fde31c0f52cd9e081339b0 +SHA512 (patch-4.10-rc4-git4.xz) = aac2b5ff9120aab1c7aa539eca02c7e743e064f8788c51338cf8855a17cd225ebc36261c9e27da398fbbb42ec2742f202a084fef01ddf3e18861d1fdd1483897