Google Git
Sign in
chromium / chromiumos / third_party / kernel / refs/heads/stabilize-14385.B-chromeos-4.19-ht
commit9543f0d71bd43440bfa9743caab48b5a0f22dc7e[log] [tgz]
authorBenjamin Gordon <bmgordon@chromium.org>Thu Mar 26 19:23:28 2020
committerCommit Bot <commit-bot@chromium.org>Mon Nov 08 21:07:09 2021
tree1a1dbf69cdeed28692091d3d4500d108698ba50b
parent0ac5a62089a6183656238c0942d214553d241574 [diff]
CHROMIUM: LSM: Convert symlink checks to MNT_NOSYMFOLLOW

The chromiumos LSM previously tracked a nosymfollow mount parameter that
it removed from the mount options before passing them through to the fs.
It shared the security page with SELinux by assuming that it could
control page allocation and write to an offset larger than the size
needed by SELinux.  After the VFS security hooks were refactored, these
assumptions no longer apply.  Mounting a filesystem with SELinux options
triggers a kernel panic when the chromiumos lsm structure isn't found at
the expected offset.

The VFS gained a nosymfollow mount option that enforces the same
behavior in commit 03e64555f1a0 ("Add a "nosymfollow" mount option."),
so keeping separate track of this flag is no longer necessary.  This
change removes the lsm nosymfollow functionality and simply enforces
that the flag can't be removed with a remount instead.

There are three effective differences in behavior:

1. The nosymfollow can be added with mount -oremount.  Once on, it can't
   be removed, so this shouldn't be a decrease in security.
2. Warnings are no longer emitted to the logs when symlink traversal is
   blocked because the VFS checks MNT_NOSYMFOLLOW before calling
   security hooks.  I didn't find any bugs with the logged text in them,
   so I think this isn't an important loss.
3. The error is now -ELOOP instead of -EPERM because that's what
   upstream used.

This change is similar to crrev.com/c/2122916, but backported to account
for the lsm differences in 4.19 and with the fix in crrev.com/c/2151712
applied.

BUG=b:152074038
TEST=test_that security_NosymfollowMountOption.baseline
     test_that security_NosymfollowMountOption.test_selinux_interaction
     test_that cheets_CTS_P.{arm,x86}.CtsOsTestCases
     tast run security.StatefulPartitionHardening

Signed-off-by: Benjamin Gordon <bmgordon@chromium.org>
Change-Id: I01fc8ce512ff51dfd387e3f15f8eb201318ea2d3
(cherry picked from commit ba5681dc23a0aadbc3d9f76500ea68d82b1e6db3)
Signed-off-by: Sarthak Kukreti <sarthakkukreti@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/3261326
Commit-Queue: Sarthak Kukreti <sarthakkukreti@chromium.org>
Tested-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
1 file changed
tree: 1a1dbf69cdeed28692091d3d4500d108698ba50b
  1. arch/
  2. block/
  3. certs/
  4. chromeos/
  5. crypto/
  6. Documentation/
  7. drivers/
  8. firmware/
  9. fs/
  10. include/
  11. init/
  12. ipc/
  13. kernel/
  14. lib/
  15. LICENSES/
  16. mm/
  17. net/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .cocciconfig
  27. .get_maintainer.ignore
  28. .gitattributes
  29. .gitignore
  30. .mailmap
  31. COPYING
  32. CREDITS
  33. Kbuild
  34. Kconfig
  35. MAINTAINERS
  36. Makefile
  37. PRESUBMIT.cfg
  38. README
  39. test-class-skip.c
  40. test-prctl.c