Re: [BUG] cannot mount subvolume with selinux context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


-------- Original Message --------
Subject: Re: [BUG] cannot mount subvolume with selinux context
From: Eryu Guan <guaneryu@xxxxxxxxx>
To: Zach Brown <zab@xxxxxxxxx>
Date: 2014年08月20日 11:57

On Tue, Aug 19, 2014 at 10:28:54AM -0700, Zach Brown wrote:

On Tue, Aug 19, 2014 at 11:32:16AM +0800, Eryu Guan wrote:

Hi,

Description of the problem:

mount btrfs with selinux context, then create a subvolume, the new
subvolume cannot be mounted, even with the same context.

mkfs -t btrfs /dev/sda5
mount -o context=system_u:object_r:nfs_t:s0 /dev/sda5 /mnt/btrfs
btrfs subvolume create /mnt/btrfs/subvol
mount -o subvol=subvol,context=system_u:object_r:nfs_t:s0 /dev/sda5 /mnt/test

Submit a xfstest?

Sure, will do.

Thanks,
Eryu

The security_sb_copy_data() takes out selinux context data to
"secdata", then mount_subvol() calls mount_fs() (via vfs_kern_mount())
again without selinux context, so mount_subvol() fails, which fails
the whole mount.

Not sure what's the proper fix. Zach suggestted that the fix will
probably be to rework the vfs functions a bit as he said in rh
bugzilla[1].

Yeah, I have no idea what'd be preferred here:

  - rework the vfs _kern_ mount api to offer one that doesn't mess with
    selinux mount options
  - add a flag to have the second _kern_ mount ignore selinux (but not
    MS_KERNMOUNT?)
  - binary data and fs selinux handling?  (like nfs)
In fact, we can just make btrfs deal with "subvol=" mount option in a new method. Current, btrfs handle "subvol=" by call vfs_kern_mount again and use vfs level mount_subtree() to do the path 
search thing.
But on the other hand, btrfs does not call vfs_kern_mount() when handling default subvolume or "subvolid=" mount, so, I think we can do all the path search inside btrfs instead of reuse vfs level functions, and convert "subvol=" 
mount option to "subvolid=", which should be selinux friendly now.
(And in this method mount_subvol() should be called just before get_default_root()). 

If I am wrong, please tell me.
BTW, it seems that if mainline kernel accept the patchset which convert "subvolid=" to "subvol=", it will make the 
bug more seriously. :-(
Thank goddness, the successor patch uses get_path()....

Thanks,
Qu


- z

--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux