selinux: Add support for unprivileged mounts from user namespaces
authorSeth Forshee <seth.forshee@canonical.com>
Tue, 26 Apr 2016 19:36:20 +0000 (14:36 -0500)
committerEric W. Biederman <ebiederm@xmission.com>
Fri, 24 Jun 2016 16:02:54 +0000 (11:02 -0500)
commitaad82892af261b9903cc11c55be3ecf5f0b0b4f8
tree63dd314cee5d53b1c17e002d2be94dfff3f23289
parent809c02e091a8272bc8586a5d606565bc900f3467
selinux: Add support for unprivileged mounts from user namespaces

Security labels from unprivileged mounts in user namespaces must
be ignored. Force superblocks from user namespaces whose labeling
behavior is to use xattrs to use mountpoint labeling instead.
For the mountpoint label, default to converting the current task
context into a form suitable for file objects, but also allow the
policy writer to specify a different label through policy
transition rules.

Pieced together from code snippets provided by Stephen Smalley.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
security/selinux/hooks.c