[PATCH] SELinux: allow other LSMs to use custom mount args

Paul Moore paul at paul-moore.com
Wed Aug 29 04:58:51 UTC 2018


On Tue, Aug 28, 2018 at 5:32 PM Micah Morton <mortonm at chromium.org> wrote:
> The security_sb_copy_data LSM hook allows LSMs to copy custom string
> name/value args passed to mount_fs() into a temporary buffer (called
> "secdata") that will be accessible to LSM code during the
> security_sb_kern_mount hook further down in mount_fs(). Currently,
> SELinux effectively prevents any other LSMs from copying custom mount
> args into the temporary buffer (and being able to access them during
> security_sb_kern_mount), as it will fail with -EINVAL and print
> "SELinux:  unknown mount option" to the kernel message buffer if args it
> doesn't recognize are present in the temporary buffer when
> selinux_sb_kern_mount is called. This change adds an arg to the list of
> those accepted by SELinux during security_sb_kern_mount. SELinux won't
> do anything with this arg besides allow the name/value pair to be passed
> along to any other LSM that is stacked after SELinux.
>
> Developed on v4.18.
>
> Signed-off-by: Micah Morton <mortonm at chromium.org>
> ---
>  security/selinux/hooks.c            |  7 ++++++-
>  security/selinux/include/security.h | 11 ++++++-----
>  2 files changed, 12 insertions(+), 6 deletions(-)

SELinux patches need to be sent to the SELinux mailing list (CC'd) for
proper review.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 2b5ee5fbd652..e70ccc701eb8 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -445,6 +445,7 @@ enum {
>         Opt_rootcontext = 4,
>         Opt_labelsupport = 5,
>         Opt_nextmntopt = 6,
> +       Opt_lsm_custom_arg = 7,
>  };
>
>  #define NUM_SEL_MNT_OPTS       (Opt_nextmntopt - 1)
> @@ -455,6 +456,7 @@ static const match_table_t tokens = {
>         {Opt_defcontext, DEFCONTEXT_STR "%s"},
>         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
>         {Opt_labelsupport, LABELSUPP_STR},
> +       {Opt_lsm_custom_arg, LSM_CUSTOM_ARG_STR "%s"},
>         {Opt_error, NULL},
>  };
>
> @@ -1156,6 +1158,8 @@ static int selinux_parse_opts_str(char *options,
>                         break;
>                 case Opt_labelsupport:
>                         break;
> +               case Opt_lsm_custom_arg:
> +                       break;
>                 default:
>                         rc = -EINVAL;
>                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
> @@ -2758,7 +2762,8 @@ static inline int selinux_option(char *option, int len)
>                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
>                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
>                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
> -               match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
> +               match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len) ||
> +               match_prefix(LSM_CUSTOM_ARG_STR, sizeof(LSM_CUSTOM_ARG_STR)-1, option, len));
>  }
>
>  static inline void take_option(char **to, char *from, int *first, int len)
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 23e762d529fa..0ead836a0625 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -59,11 +59,12 @@
>  #define SE_SBPROC              0x0200
>  #define SE_SBGENFS             0x0400
>
> -#define CONTEXT_STR    "context="
> -#define FSCONTEXT_STR  "fscontext="
> -#define ROOTCONTEXT_STR        "rootcontext="
> -#define DEFCONTEXT_STR "defcontext="
> -#define LABELSUPP_STR "seclabel"
> +#define CONTEXT_STR         "context="
> +#define FSCONTEXT_STR       "fscontext="
> +#define ROOTCONTEXT_STR     "rootcontext="
> +#define DEFCONTEXT_STR      "defcontext="
> +#define LABELSUPP_STR       "seclabel"
> +#define LSM_CUSTOM_ARG_STR  "lsm_custom_arg="
>
>  struct netlbl_lsm_secattr;
>
> --
> 2.19.0.rc0.228.g281dcd1b4d0-goog
>


-- 
paul moore
www.paul-moore.com



More information about the Linux-security-module-archive mailing list