On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > On 18.6.2021 6.50, Paul Moore wrote: > > On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > >> > >> Describe cases where nosuid_transition or nnp_transition are needed. > >> > >> Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx> > >> --- > >> src/computing_security_contexts.md | 9 ++++++++- > >> 1 file changed, 8 insertions(+), 1 deletion(-) > >> > >> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md > >> index bb946b5..7bd1d87 100644 > >> --- a/src/computing_security_contexts.md > >> +++ b/src/computing_security_contexts.md > >> @@ -84,7 +84,14 @@ Processes inherit their security context as follows: > >> *default_type* (policy version 28) or if a security-aware process, > >> by calling ***setexeccon**(3)* if permitted by policy prior to > >> invoking exec. > >> -3. At any time, a security-aware process may invoke ***setcon**(3)* to > >> +3. If the file system is mounted with *nosuid* flag, type transitions > >> + require permission *nosuid_transition*. If the thread has > >> + *no_new_privs* attribute set, the transition requires > >> + *nnp_transition*. For both transitions, policy capability > >> + *nnp_nosuid_transition* is also required. See also > >> + [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) > >> + section. > > > > Thanks for adding this text, however I might suggest the following changes: > > > > "If the loaded SELinux policy has the nnp_nosuid_transition policy > > capability enabled there are potentially two additional permissions > > that are required to permit a domain transition: nosuid_transition for > > nosuid mounted filesystems, and nnp_transition for for threads with > > the no_new_privs flag." > > > > ... does that make sense? > > Yes. I'd then add: > > "If nnp_nosuid_transition policy capability is disabled, such domain > transitions are denied." In most cases, yes that is correct, but bounded domain transitions are still allowed in the case where the nnp_nosuid_transition policy capability is not enabled. Did you want to respin the patch with the above changes? -- paul moore www.paul-moore.com
