diff options
| author | Peijie Shao <[email protected]> | 2025-03-20 06:35:23 +0000 |
|---|---|---|
| committer | Keith Busch <[email protected]> | 2025-03-20 23:53:56 +0000 |
| commit | 1be52169c3488ef98582ed553ab35cefa3978817 (patch) | |
| tree | df3cc927f1aa7b1e791e6724dbb507ad4dcf9adc /net/unix/unix_bpf.c | |
| parent | nvmet: pci-epf: Always configure BAR0 as 64-bit (diff) | |
| download | kernel-1be52169c3488ef98582ed553ab35cefa3978817.tar.gz kernel-1be52169c3488ef98582ed553ab35cefa3978817.zip | |
nvme-tcp: fix selinux denied when calling sock_sendmsg
In a SELinux enabled kernel, socket_create() initializes the security
label of the socket using the security label of the calling process,
this typically works well.
However, in a containerized environment like Kubernetes, problem arises
when a privileged container(domain spc_t) connects to an NVMe target and
mounts the NVMe as persistent storage for unprivileged containers(domain
container_t).
This is because the container_t domain cannot access resources labeled
with spc_t, resulting in socket_sendmsg returning -EACCES.
The solution is to use socket_create_kern() instead of socket_create(),
which labels the socket context to kernel_t. Access control will then
be handled by the VFS layer rather than the socket itself.
Signed-off-by: Peijie Shao <[email protected]>
Reviewed-by: Christoph Hellwig <[email protected]>
Signed-off-by: Keith Busch <[email protected]>
Diffstat (limited to 'net/unix/unix_bpf.c')
0 files changed, 0 insertions, 0 deletions