* [PATCH v2] libselinux: mount selinuxfs noexec and nosuid
@ 2020-04-28 11:11 Topi Miettinen
2020-04-29 15:30 ` Stephen Smalley
2020-05-04 8:41 ` Petr Lautrbach
0 siblings, 2 replies; 3+ messages in thread
From: Topi Miettinen @ 2020-04-28 11:11 UTC (permalink / raw)
To: selinux; +Cc: Topi Miettinen
Mount selinuxfs with mount flags noexec and nosuid. It's not likely
that this has any effect, but it's visually more pleasing.
Option nodev can't be used because of /sys/fs/selinux/null device,
which is used by Android.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
libselinux/src/load_policy.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index fa1a3bf1..2aea826f 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -279,7 +279,8 @@ int selinux_init_load_policy(int *enforce)
const char *mntpoint = NULL;
/* First make sure /sys is mounted */
if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
- if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+ /* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
+ if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
mntpoint = SELINUXMNT;
} else {
/* check old mountpoint */
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] libselinux: mount selinuxfs noexec and nosuid
2020-04-28 11:11 [PATCH v2] libselinux: mount selinuxfs noexec and nosuid Topi Miettinen
@ 2020-04-29 15:30 ` Stephen Smalley
2020-05-04 8:41 ` Petr Lautrbach
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2020-04-29 15:30 UTC (permalink / raw)
To: Topi Miettinen; +Cc: SElinux list
On Tue, Apr 28, 2020 at 7:13 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> Mount selinuxfs with mount flags noexec and nosuid. It's not likely
> that this has any effect, but it's visually more pleasing.
>
> Option nodev can't be used because of /sys/fs/selinux/null device,
> which is used by Android.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] libselinux: mount selinuxfs noexec and nosuid
2020-04-28 11:11 [PATCH v2] libselinux: mount selinuxfs noexec and nosuid Topi Miettinen
2020-04-29 15:30 ` Stephen Smalley
@ 2020-05-04 8:41 ` Petr Lautrbach
1 sibling, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2020-05-04 8:41 UTC (permalink / raw)
To: selinux; +Cc: Topi Miettinen
[-- Attachment #1: Type: text/plain, Size: 1296 bytes --]
On Tue, Apr 28, 2020 at 02:11:42PM +0300, Topi Miettinen wrote:
> Mount selinuxfs with mount flags noexec and nosuid. It's not likely
> that this has any effect, but it's visually more pleasing.
>
> Option nodev can't be used because of /sys/fs/selinux/null device,
> which is used by Android.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Applied.
> ---
> libselinux/src/load_policy.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
> index fa1a3bf1..2aea826f 100644
> --- a/libselinux/src/load_policy.c
> +++ b/libselinux/src/load_policy.c
> @@ -279,7 +279,8 @@ int selinux_init_load_policy(int *enforce)
> const char *mntpoint = NULL;
> /* First make sure /sys is mounted */
> if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
> - if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
> + /* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
> + if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
> mntpoint = SELINUXMNT;
> } else {
> /* check old mountpoint */
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-04 8:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-28 11:11 [PATCH v2] libselinux: mount selinuxfs noexec and nosuid Topi Miettinen
2020-04-29 15:30 ` Stephen Smalley
2020-05-04 8:41 ` Petr Lautrbach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.