We presently prevent processes from explicitly setting an arbitrary
security label on new processes when NO_NEW_PRIVS is enabled; in an
attempt for more consistency, this patch extends this to prevent
setting an arbitrary label when the new application lives on a
filesystem mounted with MNT_NOSUID.
Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
CC: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
CC: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
security/selinux/hooks.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 57b0b49..6fafe86 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2106,11 +2106,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
new_tsec->exec_sid = 0;
/*
- * Minimize confusion: if no_new_privs and a transition is
- * explicitly requested, then fail the exec.
+ * Minimize confusion: if no_new_privs or nosuid and a
+ * transition is explicitly requested, then fail the exec.
*/
if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
return -EPERM;
+ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
+ return -EACCES;
} else {
/* Check for a default transition on this program. */
rc = security_transition_sid(old_tsec->sid, isec->sid,
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
