On Sun, Mar 29, 2020 at 7:30 AM Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > > On 29.3.2020 12.27, Dominick Grift wrote: > > Topi Miettinen <toiwoton@xxxxxxxxx> writes: > > > >> Mount selinuxfs with mount flags nodev,noexec and nosuid. It's not > >> likely that this has any effect, but it's visually more pleasing. > > > > will nodev interfere with this? > > > > File: /sys/fs/selinux/null > > Size: 0 Blocks: 0 IO Block: 4096 character special file > > Device: 15h/21d Inode: 23 Links: 1 Device type: 1,3 > > Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root) > > Context: sys.id:sys.role:null.isid:s0 > > Access: 2020-03-28 13:04:05.578999988 +0100 > > Modify: 2020-03-28 13:04:05.578999988 +0100 > > Change: 2020-03-28 13:04:05.578999988 +0100 > > Birth: - > > > > /sys/fs/selinux/null: character special (1/3) > > That device does not give me joy. Yes, the patch prevents it from being > used. But I didn't see any problems in the logs, even with something > else mounted over it (adding InaccessiblePaths=/sys/fs/selinux/null to > systemd unit files). The device file was added pretty early to Linux, > perhaps it was needed then, but not anymore? > > Judging from internet searches, maybe it's only used by Android. They > seem to use a forked version of libselinux anyway. /sys/fs/selinux/null is used by the kernel; SELinux closes any open file descriptors not authorized for the new process context upon a context-changing exec, and replaces them with a reference to /sys/fs/selinux/null. This was introduced because /dev/null couldn't be guaranteed to exist or be available at all times. nodev likely has no effect on this usage because it is probably only checked when a userspace process tries to open it. That said, I don't really understand what you think you are gaining by adding these mount options to selinuxfs. What threat are you mitigating? It is a kernel pseudo filesystem that doesn't support dynamic file creation by userspace and whose contents are entirely determined by the kernel.
