On Wed, May 14, 2014 at 2:00 PM, Paul Moore <pmoore@xxxxxxxxxx> wrote: > On Wednesday, May 14, 2014 09:18:35 AM Andy Lutomirski wrote: >> > On Wed, May 14, 2014 at 8:58 AM, Paul Moore <pmoore@xxxxxxxxxx> wrote: >> >> We presently prevent processes from explicitly setting an arbitrary >> >> security label on new processes when NO_NEW_PRIVS is enabled; in an >> >> attempt for more consistency, this patch extends this to prevent >> >> setting an arbitrary label when the new application lives on a >> >> filesystem mounted with MNT_NOSUID. >> >> >> >> Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx> >> >> CC: Andy Lutomirski <luto@xxxxxxxxxxxxxx> >> >> CC: Stephen Smalley <sds@xxxxxxxxxxxxx> >> >> --- >> > >> Acked-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> >> >> I'm also unconvinced by the subject line -- would "selinux: return an >> error when rejecting settexeccon on MNT_NOSUID applications" be >> better? > > ... > > On Wednesday, May 14, 2014 12:28:24 PM Stephen Smalley wrote: >> On 05/14/2014 11:58 AM, Paul Moore wrote: >> > We presently prevent processes from explicitly setting an arbitrary >> > security label on new processes when NO_NEW_PRIVS is enabled; in an >> > attempt for more consistency, this patch extends this to prevent >> > setting an arbitrary label when the new application lives on a >> > filesystem mounted with MNT_NOSUID. >> >> It is never arbitrary (the new value is always controlled by policy), >> and it isn't set on "new processes" per se but rather transitioned to >> upon an exec. Anyway, the point of the change is to return an error >> rather than silently ignore any /proc/self/attr/exec value when >> executing from a nosuid mount. >> >> Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > > I had a feeling while writing the patch description yesterday that someone was > not going to be happy with the text ... does the subject/description below > sound better to you guys? > > *** > selinux: reject setexeccon() on MNT_NOSUID applications with -EACCES > > We presently prevent processes from using setexecon() to set the security > label of exec()'d processes when NO_NEW_PRIVS is enabled by returning an > error; however, we silently ignore setexeccon() when exec()'ing from a nosuid > mounted filesystem. This patch makes things a bit more consistent by > returning an error in the setexeccon()/nosuid case. > *** Looks good to me. --Andy _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
