diff options
author | Paul Moore <pmoore@redhat.com> | 2014-05-15 17:16:06 +0200 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2014-05-15 17:16:06 +0200 |
commit | 4f189988a0a5890db597ec48fc0e8b09922f290a (patch) | |
tree | b3160fdb38bc7ab16a603ed69d737be2b1b7d5d2 /security | |
parent | selinux: Report permissive mode in avc: denied messages. (diff) | |
download | linux-4f189988a0a5890db597ec48fc0e8b09922f290a.tar.xz linux-4f189988a0a5890db597ec48fc0e8b09922f290a.zip |
selinux: reject setexeccon() on MNT_NOSUID applications with -EACCES
We presently prevent processes from using setexecon() to set the
security label of exec()'d processes when NO_NEW_PRIVS is enabled by
returning an error; however, we silently ignore setexeccon() when
exec()'ing from a nosuid mounted filesystem. This patch makes things
a bit more consistent by returning an error in the setexeccon()/nosuid
case.
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 889cf4c3c3fa..b03b0776955a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2123,11 +2123,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) new_tsec->exec_sid = 0; /* - * Minimize confusion: if no_new_privs and a transition is - * explicitly requested, then fail the exec. + * Minimize confusion: if no_new_privs or nosuid and a + * transition is explicitly requested, then fail the exec. */ if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) return -EPERM; + if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) + return -EACCES; } else { /* Check for a default transition on this program. */ rc = security_transition_sid(old_tsec->sid, isec->sid, |