Merge pull request #1703 from mjg59/master

Fix up selinux policy for overlays

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff

@@ -1,7 +1,7 @@
-diff -ur refpolicy.orig/policy/mcs refpolicy/policy/mcs
+diff -ur work.orig/refpolicy/policy/mcs work/refpolicy/policy/mcs
---- refpolicy.orig/policy/mcs	2014-06-16 10:44:12.000000000 -0700
+--- refpolicy/policy/mcs	2015-12-18 13:41:18.655947448 +0000
-+++ refpolicy/policy/mcs	2015-09-09 16:40:55.212940234 -0700
++++ refpolicy/policy/mcs	2015-12-18 13:42:40.364890957 +0000
-@@ -99,14 +99,14 @@
+@@ -100,14 +100,14 @@
  # New filesystem object labels must be dominated by the relabeling subject
  # clearance, also the objects are single-level.
  mlsconstrain file { create relabelto }
@@ -10,7 +10,8 @@ diff -ur refpolicy.orig/policy/mcs refpolicy/policy/mcs
  
  # new file labels must be dominated by the relabeling subject clearance
  mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
- 	( h1 dom h2 );
+-	( h1 dom h2 );
++	(( h1 dom h2 ) or (t1 == mcswriteall));
  
  mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 -	(( h1 dom h2 ) and ( l2 eq h2 ));

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff

@@ -11,7 +11,6 @@ diff -ur refpolicy.orig/policy/modules/contrib/virt.te refpolicy/policy/modules/
 +	type tmpfs_t;
 +	type var_lib_t;
 +}
-+
 +allow kernel_t svirt_lxc_net_t:process transition;
 +fs_manage_tmpfs_chr_files(svirt_lxc_net_t)
 +fs_manage_tmpfs_dirs(svirt_lxc_net_t)
@@ -26,9 +25,10 @@ diff -ur refpolicy.orig/policy/modules/contrib/virt.te refpolicy/policy/modules/
 +files_read_var_lib_files(svirt_lxc_net_t)
 +files_read_var_lib_symlinks(svirt_lxc_net_t)
 +term_use_generic_ptys(svirt_lxc_net_t)
++term_setattr_generic_ptys(svirt_lxc_net_t)
 +allow svirt_lxc_net_t tmpfs_t:chr_file { read write open };
 +allow svirt_lxc_net_t self:capability sys_chroot;
 +allow svirt_lxc_net_t self:process getpgid;
 +allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
-+allow svirt_lxc_net_t var_lib_t:file { execute execute_no_trans };
++allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
 +

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.3.3-r1.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.3-r1.ebuild

@@ -37,5 +37,6 @@ UNIPATCH_LIST="
         ${PATCH_DIR}/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch \
         ${PATCH_DIR}/0020-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
         ${PATCH_DIR}/0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+	${PATCH_DIR}/0022-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
 "
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0022-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch

@@ -0,0 +1,68 @@
+From 3f2106fe2342d05f79dcef78da4cccc22c572b3b Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@coreos.com>
+Date: Tue, 22 Dec 2015 07:43:52 +0000
+Subject: [PATCH] Don't verify write permissions on lower inodes on overlayfs
+
+If a user opens a file r/w on overlayfs, and if the underlying inode is
+currently still on the lower fs, right now we're verifying whether selinux
+policy permits writes to the selinux context on the underlying inode. This
+is suboptimal, since we don't want confined processes to be able to write to
+these files if they're able to escape from a container and so don't want to
+permit this in policy. Have overlayfs pass down an additional flag when
+verifying the permission on lower inodes, and mask off the write bits in
+the selinux permissions check if that flag is set.
+---
+ fs/overlayfs/inode.c     | 3 +++
+ include/linux/fs.h       | 1 +
+ security/selinux/hooks.c | 9 +++++++++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
+index ec0c2a0..3d66617 100644
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -128,6 +128,9 @@ int ovl_permission(struct inode *inode, int mask)
+ 			goto out_dput;
+ 	}
+ 
++	if (!is_upper)
++		mask |= MAY_OPEN_LOWER;
++
+ 	err = __inode_permission(realinode, mask);
+ out_dput:
+ 	dput(alias);
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 72d8a84..585042b 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -82,6 +82,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate);
+ #define MAY_CHDIR		0x00000040
+ /* called from RCU mode, don't block */
+ #define MAY_NOT_BLOCK		0x00000080
++#define MAY_OPEN_LOWER		0x00000100
+ 
+ /*
+  * flags in file.f_mode.  Note that FMODE_READ and FMODE_WRITE must correspond
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index ecc883b..47be196 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2907,6 +2907,15 @@ static int selinux_inode_permission(struct inode *inode, int mask)
+ 	u32 audited, denied;
+ 
+ 	from_access = mask & MAY_ACCESS;
++
++	/*
++	 * If we're trying to open the lower layer of an overlay mount, don't
++	 * worry about write or append permissions - these will be verified
++	 * against the upper context
++	 */
++	if (mask & MAY_OPEN_LOWER)
++		mask &= ~(MAY_WRITE|MAY_APPEND);
++
+ 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
+ 
+ 	/* No permission to check.  Existence test. */
+-- 
+2.5.0
+