libselinux: add selinux_unshare()

Add a selinux_unshare() interface to unshare the SELinux namespace, and
a unshareselinux utility to run a shell or command in its own SELinux
and mount namespaces. The selinux_unshare() interface expects the caller
to have already unshared its mount namespace and created a
MS_REC|MS_PRIVATE mount of / prior to invoking it so that it can freely
modify the selinuxfs mount as needed by the unshare operation. The
unshareselinux utility demonstrates how to do this prior to calling
selinux_unshare(). Upon a successful return from selinux_unshare(),
the SELinux namespace will be unshared and there will be no selinuxfs
mount on /sys/fs/selinux.  The caller can then proceed to mount a new
selinuxfs filesystem private to the new namespace, load a policy,
set enforcing mode, etc, as is commonly handled by init/systemd during
boot.

If/when this gets merged, the new selinux_unshare() symbol should
be moved to its own version in libselinux.map.

Signed-off-by: Stephen Smalley <[email protected]>

Author: stephensmalley

libselinux/include/selinux/selinux.h

@@ -760,6 +760,19 @@ extern int selinux_lsetfilecon_default(const char *path);
  */
 extern void selinux_reset_config(void);
 
+/*
+ * Unshare the SELinux namespace.
+ * Prior to invoking this API, the caller must have unshared the
+ * mount namespace (CLONE_NEWNS) and mounted a MS_REC|MS_PRIVATE
+ * / filesystem so that selinux_unshare() can freely modify any
+ * existing selinuxfs mount as needed for the unshare.
+ * Returns 0 on success, in which case the SELinux namespace has
+ * been unshared and any old selinuxfs mount will have been unmounted.
+ * The caller can then proceed to mount a new selinuxfs filesystem
+ * for the new namespace, load a policy, set enforcing mode, etc.
+ */
+extern int selinux_unshare(void);
+
 #ifdef __cplusplus
 }
 #endif

libselinux/src/libselinux.map

@@ -251,6 +251,7 @@ LIBSELINUX_3.5 {
   global:
     getpidprevcon;
     getpidprevcon_raw;
+    selinux_unshare;
 } LIBSELINUX_3.4;
 
 LIBSELINUX_3.8 {

libselinux/src/unshare.c

@@ -0,0 +1,88 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+
+#include <sched.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/mount.h>
+#include <sys/vfs.h>
+#include <sys/statvfs.h>
+
+#include "selinux_internal.h"
+#include "policy.h"
+
+/*
+ * Precondition: caller must have already done unshare(CLONE_NEWNS) or
+ * been created via clone(CLONE_NEWNS) and mounted a MS_REC|MS_PRIVATE
+ * / filesystem so that any pre-existing selinuxfs mount can be
+ * modified freely by selinux_unshare(). See ../utils/unshareselinux.c
+ * for an example.
+ */
+int selinux_unshare(void)
+{
+	struct statfs fs;
+	int ret, fd;
+	char buf[3] = "1\n";
+
+	ret = statfs(SELINUXMNT, &fs);
+	if (ret < 0) {
+		/*
+		 * Should we try to handle this gracefully?
+		 * If it fails due to /sys not being mounted, then we could
+		 * mount sysfs and try to continue here.
+		 */
+		return ret;
+	}
+
+	if ((uint32_t) fs.f_type == (uint32_t) SELINUX_MAGIC) {
+		if (fs.f_flags & ST_RDONLY) {
+			/*
+			 * selinuxfs is mounted read-only; try re-mounting
+			 * read-write temporarily so that we can unshare it.
+			 */
+			ret = mount(SELINUXFS, SELINUXMNT, SELINUXFS,
+				    MS_REMOUNT | MS_BIND | MS_NOEXEC |
+				    MS_NOSUID, 0);
+			if (ret < 0)
+				return -1;
+		}
+	} else {
+		/*
+		 * selinuxfs is not mounted; try mounting it temporarily so
+		 * that we can unshare it.
+		 */
+		ret = mount(SELINUXFS, SELINUXMNT, SELINUXFS,
+			    MS_NOEXEC | MS_NOSUID, 0);
+		if (ret < 0)
+			return -1;
+	}
+
+	/*
+	 * Unshare SELinux namespace
+	 */
+	fd = open(SELINUXMNT "/unshare", O_WRONLY);
+	if (fd < 0)
+		return -1;
+	ret = write(fd, buf, sizeof(buf));
+	if (ret != sizeof(buf)) {
+		int sv_errno = errno;
+		close(fd);
+		errno = sv_errno;
+		return -1;
+	}
+	close(fd);
+
+	/*
+	 * Now unmount the old selinuxfs which refers to the old/parent namespace
+	 */
+	ret = umount(SELINUXMNT);
+	if (ret < 0)
+		return ret;
+
+	return 0;
+}

libselinux/utils/.gitignore

@@ -30,3 +30,4 @@ setfilecon
 togglesebool
 selinux_check_access
 validatetrans
+unshareselinux

libselinux/utils/unshareselinux.c

@@ -0,0 +1,42 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+
+#include <sched.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/mount.h>
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv)
+{
+	int ret;
+
+	ret = unshare(CLONE_NEWNS);
+	if (ret < 0) {
+		perror("unshare(CLONE_NEWNS)");
+		exit(1);
+	}
+
+	ret = mount("none", "/", NULL, MS_REC | MS_PRIVATE, NULL);
+	if (ret < 0) {
+		perror("mount(/)");
+		exit(1);
+	}
+
+	ret = selinux_unshare();
+	if (ret < 0) {
+		perror("selinux_unshare");
+		exit(1);
+	}
+
+	if (argc < 2) {
+		fprintf(stderr, "usage: %s command args...\n", argv[0]);
+		exit(1);
+	}
+
+	execvp(argv[1], &argv[1]);
+	perror(argv[1]);
+}