diff options
author | James Morris <james.l.morris@oracle.com> | 2014-05-26 22:38:46 +1000 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2014-05-26 22:38:46 +1000 |
commit | 92953ff38ba59b4f7b1a54ab28b84be35fafaecc (patch) | |
tree | 235ddd61f28c3030838ebbe5655fccfd1468042c /security/selinux/hooks.c | |
parent | 2fd4e6698f0863f47558e63b67c7c3a026513541 (diff) | |
parent | 47dd0b76ace953bd2c0479076db0d3e3b9594003 (diff) |
Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6ab22720c27..d4cbf7d16f0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2123,11 +2123,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) new_tsec->exec_sid = 0; /* - * Minimize confusion: if no_new_privs and a transition is - * explicitly requested, then fail the exec. + * Minimize confusion: if no_new_privs or nosuid and a + * transition is explicitly requested, then fail the exec. */ if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) return -EPERM; + if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) + return -EACCES; } else { /* Check for a default transition on this program. */ rc = security_transition_sid(old_tsec->sid, isec->sid, @@ -2770,6 +2772,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na static noinline int audit_inode_permission(struct inode *inode, u32 perms, u32 audited, u32 denied, + int result, unsigned flags) { struct common_audit_data ad; @@ -2780,7 +2783,7 @@ static noinline int audit_inode_permission(struct inode *inode, ad.u.inode = inode; rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, - audited, denied, &ad, flags); + audited, denied, result, &ad, flags); if (rc) return rc; return 0; @@ -2822,7 +2825,7 @@ static int selinux_inode_permission(struct inode *inode, int mask) if (likely(!audited)) return rc; - rc2 = audit_inode_permission(inode, perms, audited, denied, flags); + rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); if (rc2) return rc2; return rc; |