Commit f667aef6 authored by Qu Wenruo's avatar Qu Wenruo Committed by Chris Mason
Browse files

btrfs: Make btrfs handle security mount options internally to avoid losing security label. 



[BUG]
Originally when mount btrfs with "-o subvol=" mount option, btrfs will
lose all security lable.
And if the btrfs fs is mounted somewhere else, due to the lost of
security lable, SELinux will refuse to mount since the same super block
is being mounted using different security lable.

[REPRODUCER]
With SELinux enabled:
 #mkfs -t btrfs /dev/sda5
 #mount -o context=system_u:object_r:nfs_t:s0 /dev/sda5 /mnt/btrfs
 #btrfs subvolume create /mnt/btrfs/subvol
 #mount -o subvol=subvol,context=system_u:object_r:nfs_t:s0 /dev/sda5
  /mnt/test

kernel message:
SELinux: mount invalid.  Same superblock, different security settings
for (dev sda5, type btrfs)

[REASON]
This happens because btrfs will call vfs_kern_mount() and then
mount_subtree() to handle subvolume name lookup.
First mount will cut off all the security lables and when it comes to
the second vfs_kern_mount(), it has no security label now.

[FIX]
This patch will makes btrfs behavior much more like nfs,
which has the type flag FS_BINARY_MOUNTDATA,
making btrfs handles the security label internally.
So security label will be set in the real mount time and won't lose
label when use with "subvol=" mount option.

Reported-by: default avatarEryu Guan <guaneryu@gmail.com>
Signed-off-by: default avatarQu Wenruo <quwenruo@cn.fujitsu.com>
Signed-off-by: default avatarChris Mason <clm@fb.com>
parent 0ec31a61

fs/btrfs/ctree.h

+5 −0
Original line number Diff line number Diff line
@@ -34,6 +34,7 @@ 
#include <linux/pagemap.h>

#include <linux/btrfs.h>

#include <linux/workqueue.h>

#include <linux/security.h>

#include "extent_io.h"

#include "extent_map.h"

#include "async-thread.h"
@@ -1725,6 +1726,9 @@ struct btrfs_fs_info { 


	spinlock_t unused_bgs_lock;

	struct list_head unused_bgs;



	/* For btrfs to record security options */

	struct security_mnt_opts security_opts;

};



struct btrfs_subvolume_writers {
@@ -3591,6 +3595,7 @@ static inline void free_fs_info(struct btrfs_fs_info *fs_info) 
	kfree(fs_info->uuid_root);

	kfree(fs_info->super_copy);

	kfree(fs_info->super_for_commit);

	security_free_mnt_opts(&fs_info->security_opts);

	kfree(fs_info);

}

fs/btrfs/super.c

+92 −5
Original line number Diff line number Diff line
@@ -1215,6 +1215,54 @@ static struct dentry *mount_subvol(const char *subvol_name, int flags, 
	return root;

}



static int parse_security_options(char *orig_opts,

				  struct security_mnt_opts *sec_opts)

{

	char *secdata = NULL;

	int ret = 0;



	secdata = alloc_secdata();

	if (!secdata)

		return -ENOMEM;

	ret = security_sb_copy_data(orig_opts, secdata);

	if (ret) {

		free_secdata(secdata);

		return ret;

	}

	ret = security_sb_parse_opts_str(secdata, sec_opts);

	free_secdata(secdata);

	return ret;

}



static int setup_security_options(struct btrfs_fs_info *fs_info,

				  struct super_block *sb,

				  struct security_mnt_opts *sec_opts)

{

	int ret = 0;



	/*

	 * Call security_sb_set_mnt_opts() to check whether new sec_opts

	 * is valid.

	 */

	ret = security_sb_set_mnt_opts(sb, sec_opts, 0, NULL);

	if (ret)

		return ret;



	if (!fs_info->security_opts.num_mnt_opts) {

		/* first time security setup, copy sec_opts to fs_info */

		memcpy(&fs_info->security_opts, sec_opts, sizeof(*sec_opts));

	} else {

		/*

		 * Since SELinux(the only one supports security_mnt_opts) does

		 * NOT support changing context during remount/mount same sb,

		 * This must be the same or part of the same security options,

		 * just free it.

		 */

		security_free_mnt_opts(sec_opts);

	}

	return ret;

}



/*

 * Find a superblock for the given device / mount point.

 *
@@ -1229,6 +1277,7 @@ static struct dentry *btrfs_mount(struct file_system_type *fs_type, int flags, 
	struct dentry *root;

	struct btrfs_fs_devices *fs_devices = NULL;

	struct btrfs_fs_info *fs_info = NULL;

	struct security_mnt_opts new_sec_opts;

	fmode_t mode = FMODE_READ;

	char *subvol_name = NULL;

	u64 subvol_objectid = 0;
@@ -1251,9 +1300,16 @@ static struct dentry *btrfs_mount(struct file_system_type *fs_type, int flags, 
		return root;

	}



	error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices);

	security_init_mnt_opts(&new_sec_opts);

	if (data) {

		error = parse_security_options(data, &new_sec_opts);

		if (error)

			return ERR_PTR(error);

	}



	error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices);

	if (error)

		goto error_sec_opts;



	/*

	 * Setup a dummy root and fs_info for test/set super.  This is because
@@ -1262,13 +1318,16 @@ static struct dentry *btrfs_mount(struct file_system_type *fs_type, int flags, 
	 * then open_ctree will properly initialize everything later.

	 */

	fs_info = kzalloc(sizeof(struct btrfs_fs_info), GFP_NOFS);

	if (!fs_info)

		return ERR_PTR(-ENOMEM);

	if (!fs_info) {

		error = -ENOMEM;

		goto error_sec_opts;

	}



	fs_info->fs_devices = fs_devices;



	fs_info->super_copy = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_NOFS);

	fs_info->super_for_commit = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_NOFS);

	security_init_mnt_opts(&fs_info->security_opts);

	if (!fs_info->super_copy || !fs_info->super_for_commit) {

		error = -ENOMEM;

		goto error_fs_info;
@@ -1306,8 +1365,19 @@ static struct dentry *btrfs_mount(struct file_system_type *fs_type, int flags, 
	}



	root = !error ? get_default_root(s, subvol_objectid) : ERR_PTR(error);

	if (IS_ERR(root))

	if (IS_ERR(root)) {

		deactivate_locked_super(s);

		error = PTR_ERR(root);

		goto error_sec_opts;

	}



	fs_info = btrfs_sb(s);

	error = setup_security_options(fs_info, s, &new_sec_opts);

	if (error) {

		dput(root);

		deactivate_locked_super(s);

		goto error_sec_opts;

	}



	return root;
@@ -1315,6 +1385,8 @@ error_close_devices: 
	btrfs_close_devices(fs_devices);

error_fs_info:

	free_fs_info(fs_info);

error_sec_opts:

	security_free_mnt_opts(&new_sec_opts);

	return ERR_PTR(error);

}
@@ -1396,6 +1468,21 @@ static int btrfs_remount(struct super_block *sb, int *flags, char *data) 
	sync_filesystem(sb);

	btrfs_remount_prepare(fs_info);



	if (data) {

		struct security_mnt_opts new_sec_opts;



		security_init_mnt_opts(&new_sec_opts);

		ret = parse_security_options(data, &new_sec_opts);

		if (ret)

			goto restore;

		ret = setup_security_options(fs_info, sb,

					     &new_sec_opts);

		if (ret) {

			security_free_mnt_opts(&new_sec_opts);

			goto restore;

		}

	}



	ret = btrfs_parse_options(root, data);

	if (ret) {

		ret = -EINVAL;
@@ -1775,7 +1862,7 @@ static struct file_system_type btrfs_fs_type = { 
	.name		= "btrfs",

	.mount		= btrfs_mount,

	.kill_sb	= btrfs_kill_super,

	.fs_flags	= FS_REQUIRES_DEV,

	.fs_flags	= FS_REQUIRES_DEV | FS_BINARY_MOUNTDATA,

};

MODULE_ALIAS_FS("btrfs");

CRA Git | Maintained and supported by SUSTech CRA and CCSE