Linux v4.10-rc4-199-ge90665a

gitrev

@@ -1 +1 @@
-81aaeaac461071c591cbd188748ad875e0efae7e
+e90665a5d38b17fdbe484a85fbba917a7006522d

kernel.spec

@@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %global rcrev 4
 # The git snapshot level
-%define gitrev 3
+%define gitrev 4
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -587,6 +587,9 @@ Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch
 # Fix build issue with armada_trace
 Patch851: Armada-trace-build-fix.patch
 
+# selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
+Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2157,6 +2160,9 @@ fi
 #
 #
 %changelog
+* Fri Jan 20 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc4.git4.1
+- Linux v4.10-rc4-199-ge90665a
+
 * Fri Jan 20 2017 Peter Robinson <pbrobinson@fedoraproject.org>
 - Initial DT support for Hummingboard 2 (Edge/Gate)
 

selinux-allow-context-mounts-on-tmpfs-etc.patch

@@ -0,0 +1,57 @@
+From 01593d3299a1cfdb5e08acf95f63ec59dd674906 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Mon, 9 Jan 2017 10:07:31 -0500
+Subject: [PATCH] selinux: allow context mounts on tmpfs, ramfs, devpts within
+ user namespaces
+
+commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for
+unprivileged mounts from user namespaces") prohibited any use of context
+mount options within non-init user namespaces.  However, this breaks
+use of context mount options for tmpfs mounts within user namespaces,
+which are being used by Docker/runc.  There is no reason to block such
+usage for tmpfs, ramfs or devpts.  Exempt these filesystem types
+from this restriction.
+
+Before:
+sh$ userns_child_exec  -p -m -U -M '0 1000 1' -G '0 1000 1' bash
+sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
+mount: tmpfs is write-protected, mounting read-only
+mount: cannot mount tmpfs read-only
+
+After:
+sh$ userns_child_exec  -p -m -U -M '0 1000 1' -G '0 1000 1' bash
+sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
+sh# ls -Zd /tmp
+unconfined_u:object_r:user_tmp_t:s0:c13 /tmp
+
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ security/selinux/hooks.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index e4b953f..e32f4b5 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
+ 	}
+ 
+ 	/*
+-	 * If this is a user namespace mount, no contexts are allowed
+-	 * on the command line and security labels must be ignored.
++	 * If this is a user namespace mount and the filesystem type is not
++	 * explicitly whitelisted, then no contexts are allowed on the command
++	 * line and security labels must be ignored.
+ 	 */
+-	if (sb->s_user_ns != &init_user_ns) {
++	if (sb->s_user_ns != &init_user_ns &&
++	    strcmp(sb->s_type->name, "tmpfs") &&
++	    strcmp(sb->s_type->name, "ramfs") &&
++	    strcmp(sb->s_type->name, "devpts")) {
+ 		if (context_sid || fscontext_sid || rootcontext_sid ||
+ 		    defcontext_sid) {
+ 			rc = -EACCES;
+-- 
+2.9.3
+

sources

@@ -1,4 +1,4 @@
 SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
 SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
 SHA512 (patch-4.10-rc4.xz) = 89d903d52ff907f3911ac09214d1299c310fd67b7ff36170c6233e6348049fb0f669ba245a8ca310f52c91eb523aa5f91a9b52f4c67ca932b951fe2c60f25ae5
-SHA512 (patch-4.10-rc4-git3.xz) = f828c62b03e2814b2cf6aadab27a1d262917871cb2d4d696360dd0dee0765aaec0bf1621de6d67d133613b455be1c6251437d59920fde31c0f52cd9e081339b0
+SHA512 (patch-4.10-rc4-git4.xz) = aac2b5ff9120aab1c7aa539eca02c7e743e064f8788c51338cf8855a17cd225ebc36261c9e27da398fbbb42ec2742f202a084fef01ddf3e18861d1fdd1483897