Re: [PATCH] nvme-tcp: fix selinux denied when calling sock_sendmsg

From: Keith Busch
Date: Thu Mar 20 2025 - 16:15:28 EST

Next message: Michael Kelley: "RE: fbdev deferred I/O broken in some scenarios"
Previous message: Keith Busch: "Re: [PATCH v2] nvmet: replace max(a, min(b, c)) by clamp(val, lo, hi)"
In reply to: Christoph Hellwig: "Re: [PATCH] nvme-tcp: fix selinux denied when calling sock_sendmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 20, 2025 at 02:35:23PM +0800, shaopeijie@xxxxxxxx wrote:
> From: Peijie Shao <shaopeijie@xxxxxxxx>
>
> In a SELinux enabled kernel, socket_create() initializes the
> security label of the socket using the security label of the
> calling process, this typically works well.
>
> However, in a containerized environment like Kubernetes,
> problem arises when a privileged container(domain spc_t)
> connects to an NVMe target and mounts the NVMe as persistent
> storage for unprivileged containers(domain container_t).
>
> This is because the container_t domain cannot access
> resources labeled with spc_t, resulting in socket_sendmsg
> returning -EACCES.
>
> The solution is to use socket_create_kern() instead of
> socket_create(), which labels the socket context to kernel_t.
> Access control will then be handled by the VFS layer rather
> than the socket itself.

Thanks, applied to nvme-6.15.

Next message: Michael Kelley: "RE: fbdev deferred I/O broken in some scenarios"
Previous message: Keith Busch: "Re: [PATCH v2] nvmet: replace max(a, min(b, c)) by clamp(val, lo, hi)"
In reply to: Christoph Hellwig: "Re: [PATCH] nvme-tcp: fix selinux denied when calling sock_sendmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]