On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > > Describe cases where nosuid_transition or nnp_transition are needed. > > Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx> > --- > src/computing_security_contexts.md | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md > index bb946b5..7bd1d87 100644 > --- a/src/computing_security_contexts.md > +++ b/src/computing_security_contexts.md > @@ -84,7 +84,14 @@ Processes inherit their security context as follows: > *default_type* (policy version 28) or if a security-aware process, > by calling ***setexeccon**(3)* if permitted by policy prior to > invoking exec. > -3. At any time, a security-aware process may invoke ***setcon**(3)* to > +3. If the file system is mounted with *nosuid* flag, type transitions > + require permission *nosuid_transition*. If the thread has > + *no_new_privs* attribute set, the transition requires > + *nnp_transition*. For both transitions, policy capability > + *nnp_nosuid_transition* is also required. See also > + [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) > + section. Thanks for adding this text, however I might suggest the following changes: "If the loaded SELinux policy has the nnp_nosuid_transition policy capability enabled there are potentially two additional permissions that are required to permit a domain transition: nosuid_transition for nosuid mounted filesystems, and nnp_transition for for threads with the no_new_privs flag." ... does that make sense? > +4. At any time, a security-aware process may invoke ***setcon**(3)* to > switch its security context (if permitted by policy) although this > practice is generally discouraged - exec-based transitions are > preferred. > -- > 2.30.2 -- paul moore www.paul-moore.com
