From 23a4b9d2b1834d7adebb5be44571fe5c11c532d3 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 22 Dec 2015 07:37:49 +0000
Subject: [PATCH 1/2] Fix up selinux policy for overlays

MCS is restricting us from performing relabelfrom, and docker uses another
label for the underlying files so we need to permit entrypoint from there.
---
 ...build => selinux-base-policy-2.20141203-r8.ebuild} |  0
 .../sec-policy/selinux-base/files/mcs_create.diff     | 11 ++++++-----
 ...03-r7.ebuild => selinux-base-2.20141203-r8.ebuild} |  0
 ...ebuild => selinux-unconfined-2.20141203-r8.ebuild} |  0
 .../sec-policy/selinux-virt/files/virt.diff           |  4 ++--
 ...03-r7.ebuild => selinux-virt-2.20141203-r8.ebuild} |  0
 6 files changed, 8 insertions(+), 7 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/{selinux-base-policy-2.20141203-r7.ebuild => selinux-base-policy-2.20141203-r8.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/{selinux-base-2.20141203-r7.ebuild => selinux-base-2.20141203-r8.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/{selinux-unconfined-2.20141203-r7.ebuild => selinux-unconfined-2.20141203-r8.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/{selinux-virt-2.20141203-r7.ebuild => selinux-virt-2.20141203-r8.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r8.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r7.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r8.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff
index b8ae12ae00..64b823577d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff
@@ -1,7 +1,7 @@
-diff -ur refpolicy.orig/policy/mcs refpolicy/policy/mcs
---- refpolicy.orig/policy/mcs	2014-06-16 10:44:12.000000000 -0700
-+++ refpolicy/policy/mcs	2015-09-09 16:40:55.212940234 -0700
-@@ -99,14 +99,14 @@
+diff -ur work.orig/refpolicy/policy/mcs work/refpolicy/policy/mcs
+--- refpolicy/policy/mcs	2015-12-18 13:41:18.655947448 +0000
++++ refpolicy/policy/mcs	2015-12-18 13:42:40.364890957 +0000
+@@ -100,14 +100,14 @@
  # New filesystem object labels must be dominated by the relabeling subject
  # clearance, also the objects are single-level.
  mlsconstrain file { create relabelto }
@@ -10,7 +10,8 @@ diff -ur refpolicy.orig/policy/mcs refpolicy/policy/mcs
  
  # new file labels must be dominated by the relabeling subject clearance
  mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
- 	( h1 dom h2 );
+-	( h1 dom h2 );
++	(( h1 dom h2 ) or (t1 == mcswriteall));
  
  mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 -	(( h1 dom h2 ) and ( l2 eq h2 ));
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r8.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r7.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r8.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r8.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r7.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r8.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
index 54de5be8ff..28e2ab3f55 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
@@ -11,7 +11,6 @@ diff -ur refpolicy.orig/policy/modules/contrib/virt.te refpolicy/policy/modules/
 +	type tmpfs_t;
 +	type var_lib_t;
 +}
-+
 +allow kernel_t svirt_lxc_net_t:process transition;
 +fs_manage_tmpfs_chr_files(svirt_lxc_net_t)
 +fs_manage_tmpfs_dirs(svirt_lxc_net_t)
@@ -26,9 +25,10 @@ diff -ur refpolicy.orig/policy/modules/contrib/virt.te refpolicy/policy/modules/
 +files_read_var_lib_files(svirt_lxc_net_t)
 +files_read_var_lib_symlinks(svirt_lxc_net_t)
 +term_use_generic_ptys(svirt_lxc_net_t)
++term_setattr_generic_ptys(svirt_lxc_net_t)
 +allow svirt_lxc_net_t tmpfs_t:chr_file { read write open };
 +allow svirt_lxc_net_t self:capability sys_chroot;
 +allow svirt_lxc_net_t self:process getpgid;
 +allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
-+allow svirt_lxc_net_t var_lib_t:file { execute execute_no_trans };
++allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
 +
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r8.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r7.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r8.ebuild

From 49e4570444ebbb3a902d5ca3feb07b154419dfc0 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 22 Dec 2015 08:03:58 +0000
Subject: [PATCH 2/2] Don't verify write permissions on lower inodes on
 overlayfs

If a user opens a file r/w on overlayfs, and if the underlying inode is
currently still on the lower fs, right now we're verifying whether selinux
policy permits writes to the selinux context on the underlying inode. This
is suboptimal, since we don't want confined processes to be able to write to
these files if they're able to escape from a container and so don't want to
permit this in policy. Have overlayfs pass down an additional flag when
verifying the permission on lower inodes, and mask off the write bits in
the selinux permissions check if that flag is set.
---
 ...3.ebuild => coreos-kernel-4.3.3-r1.ebuild} |  2 +-
 ....ebuild => coreos-sources-4.3.3-r1.ebuild} |  1 +
 ...te-permissions-on-lower-inodes-on-ov.patch | 68 +++++++++++++++++++
 3 files changed, 70 insertions(+), 1 deletion(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.3.3.ebuild => coreos-kernel-4.3.3-r1.ebuild} (86%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.3.3.ebuild => coreos-sources-4.3.3-r1.ebuild} (96%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0022-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.3.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.3.3-r1.ebuild
similarity index 86%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.3.3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.3.3-r1.ebuild
index ad6f2587f5..4cdc6203e3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.3.3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.3.3-r1.ebuild
@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.3-r1.ebuild
similarity index 96%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.3-r1.ebuild
index 7b6648c80d..364e73a0ae 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.3-r1.ebuild
@@ -37,5 +37,6 @@ UNIPATCH_LIST="
         ${PATCH_DIR}/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch \
         ${PATCH_DIR}/0020-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
         ${PATCH_DIR}/0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+	${PATCH_DIR}/0022-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
 "
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0022-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0022-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
new file mode 100644
index 0000000000..cedd7e7794
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0022-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
@@ -0,0 +1,68 @@
+From 3f2106fe2342d05f79dcef78da4cccc22c572b3b Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@coreos.com>
+Date: Tue, 22 Dec 2015 07:43:52 +0000
+Subject: [PATCH] Don't verify write permissions on lower inodes on overlayfs
+
+If a user opens a file r/w on overlayfs, and if the underlying inode is
+currently still on the lower fs, right now we're verifying whether selinux
+policy permits writes to the selinux context on the underlying inode. This
+is suboptimal, since we don't want confined processes to be able to write to
+these files if they're able to escape from a container and so don't want to
+permit this in policy. Have overlayfs pass down an additional flag when
+verifying the permission on lower inodes, and mask off the write bits in
+the selinux permissions check if that flag is set.
+---
+ fs/overlayfs/inode.c     | 3 +++
+ include/linux/fs.h       | 1 +
+ security/selinux/hooks.c | 9 +++++++++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
+index ec0c2a0..3d66617 100644
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -128,6 +128,9 @@ int ovl_permission(struct inode *inode, int mask)
+ 			goto out_dput;
+ 	}
+ 
++	if (!is_upper)
++		mask |= MAY_OPEN_LOWER;
++
+ 	err = __inode_permission(realinode, mask);
+ out_dput:
+ 	dput(alias);
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 72d8a84..585042b 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -82,6 +82,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate);
+ #define MAY_CHDIR		0x00000040
+ /* called from RCU mode, don't block */
+ #define MAY_NOT_BLOCK		0x00000080
++#define MAY_OPEN_LOWER		0x00000100
+ 
+ /*
+  * flags in file.f_mode.  Note that FMODE_READ and FMODE_WRITE must correspond
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index ecc883b..47be196 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2907,6 +2907,15 @@ static int selinux_inode_permission(struct inode *inode, int mask)
+ 	u32 audited, denied;
+ 
+ 	from_access = mask & MAY_ACCESS;
++
++	/*
++	 * If we're trying to open the lower layer of an overlay mount, don't
++	 * worry about write or append permissions - these will be verified
++	 * against the upper context
++	 */
++	if (mask & MAY_OPEN_LOWER)
++		mask &= ~(MAY_WRITE|MAY_APPEND);
++
+ 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
+ 
+ 	/* No permission to check.  Existence test. */
+-- 
+2.5.0
+