Re: [PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Feb 11, 2021 at 4:24 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
> >
> > Now overlayfs allow unpriviliged mounts. That is root inside a non-init
> > user namespace can mount overlayfs. This is being added in 5.11 kernel.
> >
> > Giuseppe tried to mount overlayfs with option "context" and it failed
> > with error -EACCESS.
> >
> > $ su test
> > $ unshare -rm
> > $ mkdir -p lower upper work merged
> > $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged
> >
> > This fails with -EACCESS. It works if option "-o context" is not specified.
> >
> > Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.
> >
> > So this patch adds "overlay" to the list, where it is fine to specific
> > context from non init_user_ns.
> >
> > v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
> >     being added in 5.11 and not in 5.10 kernel.
> >
> > Reported-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx>
> > Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
> > ---
> >  security/selinux/hooks.c |    3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
>
> Thanks Vivek, once the merge window closes I'll merge this into
> selinux/next and send a note to this thread.

I just merged this into my local selinux/next and will be pushing it
to kernel.org later tonight.  Thanks!

-- 
paul moore
www.paul-moore.com



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux