Re: [PATCH] selinux-notebook: describe nosuid and NNP transitions

[Topi Miettinen <toiwoton@xxxxxxxxx>]

On 18.6.2021 22.32, Paul Moore wrote:
> On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@xxxxxxxxx> wrote:
> > On 18.6.2021 6.50, Paul Moore wrote:
> > > On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@xxxxxxxxx> wrote:
> > > > Describe cases where nosuid_transition or nnp_transition are needed.
> > > >
> > > > Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
> > > > ---
> > > >    src/computing_security_contexts.md | 9 ++++++++-
> > > >    1 file changed, 8 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
> > > > index bb946b5..7bd1d87 100644
> > > > --- a/src/computing_security_contexts.md
> > > > +++ b/src/computing_security_contexts.md
> > > > @@ -84,7 +84,14 @@ Processes inherit their security context as follows:
> > > >       *default_type* (policy version 28) or if a security-aware process,
> > > >       by calling ***setexeccon**(3)* if permitted by policy prior to
> > > >       invoking exec.
> > > > -3. At any time, a security-aware process may invoke ***setcon**(3)* to
> > > > +3. If the file system is mounted with *nosuid* flag, type transitions
> > > > +   require permission *nosuid_transition*. If the thread has
> > > > +   *no_new_privs* attribute set, the transition requires
> > > > +   *nnp_transition*. For both transitions, policy capability
> > > > +   *nnp_nosuid_transition* is also required. See also
> > > > +   [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
> > > > +   section.
> > >
> > > Thanks for adding this text, however I might suggest the following changes:
> > >
> > > "If the loaded SELinux policy has the nnp_nosuid_transition policy
> > > capability enabled there are potentially two additional permissions
> > > that are required to permit a domain transition: nosuid_transition for
> > > nosuid mounted filesystems, and nnp_transition for for threads with
> > > the no_new_privs flag."
> > >
> > > ... does that make sense?
> >
> > Yes. I'd then add:
> >
> > "If nnp_nosuid_transition policy capability is disabled, such domain
> > transitions are denied."
>
> In most cases, yes that is correct, but bounded domain transitions are
> still allowed in the case where the nnp_nosuid_transition policy
> capability is not enabled.

I see. May I propose then:

"If nnp_nosuid_transition policy capability is disabled, such domain
transitions are denied but bounded domain transitions are still allowed. 
In bounded transitions, target domain is only allowed a subset of the 
permissions of the source domain."

-Topi