Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. I wasn't able to do a bisect on this issue... partially because when I go back far enough I have trouble building a kernel that actually boots in a KVM guest, but also because not all of the related code landed in mainline at the same time (more on that in a bit). Although I wasn't able to do a bisect, I do believe this behavior goes all the way back to the introduction of labeled NFS. I was able to reproduce this behavior on all versions of RHEL, going all the way back to RHEL 7.0, which was based on a 3.10 kernel with post-3.10 code (including the labeled NFS code) backported on top. The v1 posting of the labeled NFS patchset actually mentions a similar issue related to root squashing: https://lore.kernel.org/lkml/7e0fb38c0802280622o75a474deg38157ff6aace16b@xxxxxxxxxxxxxx/t/ There is no mention of root squashing issues (fixed or otherwise) in subsequent postings. The inode_setsecctx hooks first appear in v2: https://lore.kernel.org/all/1221511278-28051-1-git-send-email-dpquigl@xxxxxxxxxxxxx/ The posting mentions other mailing list discussions related to the hooks, but I'm not really able to find anything specific on why the caller of the setsecctx hook would be expected to perform the permissions checking rather than doing it in the hook itself. The inode_setsecctx hook was merged in September 2009 (merge commit f6f79190866d). It looks like this was for labeling support on sysfs, which used the inode_getsecctx and inode_notifysecctx hooks, but not the inode_setsecctx hook. It doesn't look like there was any user of the inode_setsecctx hook until the labeled NFS code was merged in July 2013 (merge commit 0ff08ba5d066). The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode's i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don't do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label. I guess it's also worth mentioning that when nfsd rejects root's attempt to set a label on a file on a root squashed export, the error on the wire is NFS4ERR_PERM rather than NFS4ERR_ACCESS. -Scott Scott Mayhew (1): selinux,smack: don't bypass permissions check in inode_setsecctx hook security/selinux/hooks.c | 4 ++-- security/smack/smack_lsm.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) -- 2.46.0
