On Mon, Jan 16, 2012 at 1:47 PM, Colin Walters <walters@xxxxxxxxxx> wrote: > On Mon, 2012-01-16 at 13:25 -0800, Andy Lutomirski wrote: > >> The MS_NOSUID semantics are somewhat ridiculous for selinux, > > I don't see how they're ridiculous. exec_sid is silently ignored. So runcon will not switch context but will still appear to succeed. > >> and I'd >> rather not make them match for no_new_privs. > > Note your patch for selinux does exactly the same thing in the NOSUID > case and your NO_NEW_PRIVS flag. Right? > > - if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) > + if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) || > + (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) > new_tsec->sid = old_tsec->sid; > See several lines up. > >> AppArmor completely >> ignores MS_NOSUID, > > Ugh...well, I guess if it doesn't store any security data associated > with files, only with file names, then there's nothing for it to do. Nope. It looks it up by file name or path, I think. > Like I said before though, I think SELinux is the only sane LSM. I think the fact that there is a bprm_set_creds hook at all is insane, but maybe that's just me. I think this is one of the things that Windows does far better than POSIX. On Windows, CreateProcess (the moral equivalent of execve) never gains privileges. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
