From 7fa2e79a6bb924fa4b2de5766dab31f0f47b5ab6 Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Thu, 11 Feb 2021 13:03:03 -0500 Subject: selinux: Allow context mounts for unpriviliged overlayfs Now overlayfs allow unpriviliged mounts. That is root inside a non-init user namespace can mount overlayfs. This is being added in 5.11 kernel. Giuseppe tried to mount overlayfs with option "context" and it failed with error -EACCESS. $ su test $ unshare -rm $ mkdir -p lower upper work merged $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged This fails with -EACCESS. It works if option "-o context" is not specified. Little debugging showed that selinux_set_mnt_opts() returns -EACCESS. So this patch adds "overlay" to the list, where it is fine to specific context from non init_user_ns. Reported-by: Giuseppe Scrivano Signed-off-by: Vivek Goyal [PM: trimmed the changelog from the description] Signed-off-by: Paul Moore --- security/selinux/hooks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ddd097790d47..eca9fc0ba764 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (sb->s_user_ns != &init_user_ns && strcmp(sb->s_type->name, "tmpfs") && strcmp(sb->s_type->name, "ramfs") && - strcmp(sb->s_type->name, "devpts")) { + strcmp(sb->s_type->name, "devpts") && + strcmp(sb->s_type->name, "overlay")) { if (context_sid || fscontext_sid || rootcontext_sid || defcontext_sid) { rc = -EACCES; -- cgit v1.2.3-58-ga151