Re: [REGRESSION] EINVAL with mount in selinux_set_mnt_opts when mounting in a guest vm with selinux disabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ah... I see it's already in 6.1.55 -- tested that and confirmed we're all good.
Thanks.
-Simon

On Thu, Sep 28, 2023 at 10:43 AM Simon Kaegi <simon.kaegi@xxxxxxxxx> wrote:
>
> Thanks Jeff. I've confirmed that Ondrej's patch fixes the issue we
> were having. Definitely would be great to get this in 6.1.x. soon.
> -Simon
>
> On Wed, Sep 27, 2023 at 4:21 PM Jeff Layton <jlayton@xxxxxxxxxx> wrote:
> >
> > On Wed, 2023-09-27 at 15:55 -0400, Simon Kaegi wrote:
> > > #regzbot introduced v6.1.52..v6.1.53
> > > #regzbot introduced: ed134f284b4ed85a70d5f760ed0686e3cd555f9b
> > >
> > > We hit this regression when updating our guest vm kernel from 6.1.52 to
> > > 6.1.53 -- bisecting this problem was introduced
> > > in ed134f284b4ed85a70d5f760ed0686e3cd555f9b -- vfs, security: Fix automount
> > > superblock LSM init problem, preventing NFS sb sharing --
> > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.53&id=ed134f284b4ed85a70d5f760ed0686e3cd555f9b
> > >
> > > We're getting an EINVAL in `selinux_set_mnt_opts` in
> > > `security/selinux/hooks.c` when mounting a folder in a guest VM where
> > > selinux is disabled. We're mounting from another folder that we suspect has
> > > selinux labels set from the host. The EINVAL is getting set in the
> > > following block...
> > > ```
> > > if (!selinux_initialized(&selinux_state)) {
> > >         if (!opts) {
> > >                 /* Defer initialization until selinux_complete_init,
> > >                         after the initial policy is loaded and the security
> > >                         server is ready to handle calls. */
> > >                 goto out;
> > >         }
> > >         rc = -EINVAL;
> > >         pr_warn("SELinux: Unable to set superblock options "
> > >                 "before the security server is initialized\n");
> > >         goto out;
> > > }
> > > ```
> > > We can reproduce 100% of the time but don't currently have a simple
> > > reproducer as the problem was found in our build service which uses
> > > kata-containers (with cloud-hypervisor and rootfs mounted via virtio-blk).
> > >
> > > We have not checked the mainline as we currently are tied to 6.1.x.
> > >
> > > -Simon
> >
> > This sounds very similar to the bug that Ondrej fixed here:
> >
> >     https://lore.kernel.org/selinux/20230911142358.883728-1-omosnace@xxxxxxxxxx/
> >
> > You may want to try that patch and see if it helps.
> > --
> > Jeff Layton <jlayton@xxxxxxxxxx>
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux