[v2] libselinux: mount selinuxfs noexec and nosuid

Commit Message

Topi Miettinen April 28, 2020, 11:11 a.m. UTC

Mount selinuxfs with mount flags noexec and nosuid. It's not likely
that this has any effect, but it's visually more pleasing.

Option nodev can't be used because of /sys/fs/selinux/null device,
which is used by Android.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 libselinux/src/load_policy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Stephen Smalley April 29, 2020, 3:30 p.m. UTC | #1

On Tue, Apr 28, 2020 at 7:13 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> Mount selinuxfs with mount flags noexec and nosuid. It's not likely
> that this has any effect, but it's visually more pleasing.
>
> Option nodev can't be used because of /sys/fs/selinux/null device,
> which is used by Android.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Petr Lautrbach May 4, 2020, 8:41 a.m. UTC | #2

On Tue, Apr 28, 2020 at 02:11:42PM +0300, Topi Miettinen wrote:
> Mount selinuxfs with mount flags noexec and nosuid. It's not likely
> that this has any effect, but it's visually more pleasing.
> 
> Option nodev can't be used because of /sys/fs/selinux/null device,
> which is used by Android.
> 
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Applied.

> ---
>  libselinux/src/load_policy.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
> index fa1a3bf1..2aea826f 100644
> --- a/libselinux/src/load_policy.c
> +++ b/libselinux/src/load_policy.c
> @@ -279,7 +279,8 @@ int selinux_init_load_policy(int *enforce)
>  	const char *mntpoint = NULL;
>  	/* First make sure /sys is mounted */
>  	if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
> -		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
> +		/* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
> +		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
>  			mntpoint = SELINUXMNT;
>  		} else {
>  			/* check old mountpoint */

Patch

diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index fa1a3bf1..2aea826f 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -279,7 +279,8 @@  int selinux_init_load_policy(int *enforce)
 	const char *mntpoint = NULL;
 	/* First make sure /sys is mounted */
 	if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
-		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+		/* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
+		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
 			mntpoint = SELINUXMNT;
 		} else {
 			/* check old mountpoint */