selinux: reject setexeccon() on MNT_NOSUID applications with -EACCES

We presently prevent processes from using setexecon() to set the
security label of exec()'d processes when NO_NEW_PRIVS is enabled by
returning an error; however, we silently ignore setexeccon() when
exec()'ing from a nosuid mounted filesystem.  This patch makes things
a bit more consistent by returning an error in the setexeccon()/nosuid
case.

Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 889cf4c3c3fa849d9cd2635c7e32cc61101d78c7..b03b0776955a2c703c4ed95c3496eca5da15b00c 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2123,11 +2123,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
                new_tsec->exec_sid = 0;
 
                /*
-                * Minimize confusion: if no_new_privs and a transition is
-                * explicitly requested, then fail the exec.
+                * Minimize confusion: if no_new_privs or nosuid and a
+                * transition is explicitly requested, then fail the exec.
                 */
                if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
                        return -EPERM;
+               if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
+                       return -EACCES;
        } else {
                /* Check for a default transition on this program. */
                rc = security_transition_sid(old_tsec->sid, isec->sid,