[LSM Stacking] new files fail to inherit SELinux security contextof the current directory

Leesoo Ahn lsahn at wewakecorp.com
Tue Jul 4 01:21:54 UTC 2023


2023-07-03 오후 11:53에 Casey Schaufler 이(가) 쓴 글:
> On 7/2/2023 7:06 PM, Leesoo Ahn wrote:
>  > Test env
>  > - Ubuntu 23.04 Ubuntu Kernel v6.2 w/ Stacking patch v38
>  > - boot param: lsm=apparmor,selinux
>  > - AppArmor (Host) + SELinux (Container Fedora 36)
>  >
>  > Hello! I'm currently working on a project related to LSM Stacking, and
>  > a few days ago, I encountered a significant issue of SELinux in the
>  > container environment.
>  >
>  > When creating new files in the container using 'mkdir' and 'touch',
>  > the new files fail to inherit the security context of the current
>  > directory. This problem occurs by the following reason that
>  > 'security_inode_init_security' hook is called, which sequentially
>  > calls 'apparmor_inode_init_security' and 'selinux_inode_init_security'
>  > in order. 'apparmor_inode_init_security' always returns -EOPNOTSUPP,
>  > hence 'selinux_inode_init_security' is never called.
>  >
>  > Does 'return 0' in 'apparmor_inode_init_security' to call stacking
>  > hooks sequentially have no side-effects? if so, the solution would be
>  > easy though.
> 
> The correct fix is to security_inode_init_security(), not
> apparmor_inode_init_security(). The upstream Linus kernel
> does not have a hook in apparmor, so this problem wasn't
> detected there. I'll be sure to get this into v39.

Thank you for the answer and stacking works.

If you need some helps like tests, feel free to mail me.

best regards,
Leesoo



More information about the Linux-security-module-archive mailing list