Disallow writes to /sys/fs/selinux/user in non-init SELinux namespaces.
Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
---
security/selinux/selinuxfs.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index c91bf329692c..de4d7eda415f 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1354,9 +1354,16 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
int rc;
u32 i, len, nsids;
- pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!"
- " This will not be supported in the future; please update your"
- " userspace.\n", current->comm, current->pid);
+ if (state == init_selinux_state) {
+ pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!"
+ " This will not be supported in the future; please update your"
+ " userspace.\n", current->comm, current->pid);
+ } else {
+ pr_warn_ratelimited("SELinux: %s (%d) tried to write to /sys/fs/selinux/user!"
+ " This is not supported in non-init SELinux namespaces; please update your"
+ " userspace.\n", current->comm, current->pid);
+ return -EPERM;
+ }
/*
* Only check against the current namespace because
--
2.47.1
