On Wed, May 14, 2014 at 9:23 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 05/14/2014 12:16 PM, Andy Lutomirski wrote: >> On Wed, May 14, 2014 at 8:58 AM, Paul Moore <pmoore@xxxxxxxxxx> wrote: >>> We presently prevent processes from explicitly setting an arbitrary >>> security label on new processes when NO_NEW_PRIVS is enabled; in an >>> attempt for more consistency, this patch extends this to prevent >>> setting an arbitrary label when the new application lives on a >>> filesystem mounted with MNT_NOSUID. >>> >>> Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx> >>> CC: Andy Lutomirski <luto@xxxxxxxxxxxxxx> >>> CC: Stephen Smalley <sds@xxxxxxxxxxxxx> >>> --- >> >> Acked-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> >> >> However: would it pay to move the check above this: >> >> /* Reset exec SID on execve. */ >> new_tsec->exec_sid = 0; >> >> I suppose that this shouldn't matter: any correct application already >> needs to redo setexeccon if it gets an error from execve. Fixing this >> for real would probably involve moving that line of code into >> selinux_bprm_committed_creds. > > Shouldn't matter as that is a change to new_tsec (i.e. > bprm->cred->security), which will only be applied to the process if we > reach install_exec_creds(); otherwise it will just be discarded. > > Indeed. Sorry for the early-morning failure to read the code. -- Andy Lutomirski AMA Capital Management, LLC _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
