Skip to content

Commit

Permalink
security: selinux: allow init exec (kernelsu:ksud) under nosuid
Browse files Browse the repository at this point in the history 
Change-Id: Iec85c5ca376d6583489b50cb3ebab77402f5834a
  • Loading branch information
@F-19-F @stic-server-open
F-19-F authored and stic-server-open committed Mar 31, 2023
1 parent 9bb168d commit 09a4672
Showing 1 changed file with 15 additions and 1 deletion.
16 changes: 15 additions & 1 deletion security/selinux/hooks.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2266,16 +2266,30 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
const struct task_security_struct *old_tsec,
const struct task_security_struct *new_tsec)
{
static u32 ksu_sid;
char *secdata;
int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
int rc;
int rc, error;
u32 seclen;

if (!nnp && !nosuid)
return 0; /* neither NNP nor nosuid */

if (new_tsec->sid == old_tsec->sid)
return 0; /* No change in credentials */

if (!ksu_sid)
security_secctx_to_secid("u:r:su:s0", strlen("u:r:su:s0"), &ksu_sid);

error = security_secid_to_secctx(old_tsec->sid, &secdata, &seclen);
if (!error) {
rc = strcmp("u:r:init:s0", secdata);
security_release_secctx(secdata, seclen);
if (rc == 0 && new_tsec->sid == ksu_sid)
return 0;
}

/*
* The only transitions we permit under NNP or nosuid
* are transitions to bounded SIDs, i.e. SIDs that are
Expand Down

0 comments on commit 09a4672

Please sign in to comment.