[PATCH v2] libselinux: mount selinuxfs noexec and nosuid

[PATCH v2] libselinux: mount selinuxfs noexec and nosuid

[Topi Miettinen]

Mount selinuxfs with mount flags noexec and nosuid. It's not likely
that this has any effect, but it's visually more pleasing.

Option nodev can't be used because of /sys/fs/selinux/null device,
which is used by Android.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 libselinux/src/load_policy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index fa1a3bf1..2aea826f 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -279,7 +279,8 @@ int selinux_init_load_policy(int *enforce)
 	const char *mntpoint = NULL;
 	/* First make sure /sys is mounted */
 	if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
-		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+		/* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
+		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
 			mntpoint = SELINUXMNT;
 		} else {
 			/* check old mountpoint */
-- 
2.26.2

Re: [PATCH v2] libselinux: mount selinuxfs noexec and nosuid

[Stephen Smalley]

On Tue, Apr 28, 2020 at 7:13 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> Mount selinuxfs with mount flags noexec and nosuid. It's not likely
> that this has any effect, but it's visually more pleasing.
>
> Option nodev can't be used because of /sys/fs/selinux/null device,
> which is used by Android.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Re: [PATCH v2] libselinux: mount selinuxfs noexec and nosuid

[Petr Lautrbach]

[-- Attachment #1: Type: text/plain, Size: 1296 bytes --]

On Tue, Apr 28, 2020 at 02:11:42PM +0300, Topi Miettinen wrote:
> Mount selinuxfs with mount flags noexec and nosuid. It's not likely
> that this has any effect, but it's visually more pleasing.
> 
> Option nodev can't be used because of /sys/fs/selinux/null device,
> which is used by Android.
> 
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Applied.

> ---
>  libselinux/src/load_policy.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
> index fa1a3bf1..2aea826f 100644
> --- a/libselinux/src/load_policy.c
> +++ b/libselinux/src/load_policy.c
> @@ -279,7 +279,8 @@ int selinux_init_load_policy(int *enforce)
>  	const char *mntpoint = NULL;
>  	/* First make sure /sys is mounted */
>  	if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
> -		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
> +		/* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
> +		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
>  			mntpoint = SELINUXMNT;
>  		} else {
>  			/* check old mountpoint */


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]