selinux: reject setexeccon() on MNT_NOSUID applications with -EACCES We presently prevent processes from using setexecon() to set the security label of exec()'d processes when NO_NEW_PRIVS is enabled by returning an error; however, we silently ignore setexeccon() when exec()'ing from a nosuid mounted filesystem. This patch makes things a bit more consistent by returning an error in the setexeccon()/nosuid case. Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 4f189988a0a5890db597ec48fc0e8b09922f290a [log] [tgz]
author: Paul Moore <pmoore@redhat.com> Thu May 15 11:16:06 2014 -0400
committer: Paul Moore <pmoore@redhat.com> Thu May 15 11:16:06 2014 -0400
tree: b3160fdb38bc7ab16a603ed69d737be2b1b7d5d2
parent: 626b9740fa73cad043e136bfb3b6fca68a4f8a7c [diff] [blame]
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 889cf4c..b03b077 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -2123,11 +2123,13 @@
 		new_tsec->exec_sid = 0;
 
 		/*
-		 * Minimize confusion: if no_new_privs and a transition is
-		 * explicitly requested, then fail the exec.
+		 * Minimize confusion: if no_new_privs or nosuid and a
+		 * transition is explicitly requested, then fail the exec.
 		 */
 		if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
 			return -EPERM;
+		if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
+			return -EACCES;
 	} else {
 		/* Check for a default transition on this program. */
 		rc = security_transition_sid(old_tsec->sid, isec->sid,
commit	4f189988a0a5890db597ec48fc0e8b09922f290a	[log] [tgz]
author	Paul Moore <pmoore@redhat.com>	Thu May 15 11:16:06 2014 -0400
committer	Paul Moore <pmoore@redhat.com>	Thu May 15 11:16:06 2014 -0400
tree	b3160fdb38bc7ab16a603ed69d737be2b1b7d5d2
parent	626b9740fa73cad043e136bfb3b6fca68a4f8a7c [diff] [blame]