[meta-selinux][PATCH] libselinux: mount selinuxfs with noexec


Maximilian Blenk
 

Ensure that selinuxfs is mounted using the noxec and nosuid flags.
The current master branch of meta-selinux already contains this commit.

Change-Id: I38cba8ad0da17286f8b722c24717da5990ac1ee8
Upstream-Status: Backport [https://github.com/SELinuxProject/selinux/commit/7eaea214a0a5d9e3fb517152ac6162449ed3ef40]
---
...ux-mount-selinuxfs-noexec-and-nosuid.patch | 36 +++++++++++++++++++
recipes-security/selinux/libselinux_3.0.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 recipes-security/selinux/libselinux/0001-libselinux-mount-selinuxfs-noexec-and-nosuid.patch

Hi there,

this commit backports a patch of libselinux that ensures that the
selinuxfs is mounted using the noexec and nosuid flag. Thought you guys
might also be interested in backporting this one.

BR Max


diff --git a/recipes-security/selinux/libselinux/0001-libselinux-mount-selinuxfs-noexec-and-nosuid.patch b/recipes-security/selinux/libselinux/0001-libselinux-mount-selinuxfs-noexec-and-nosuid.patch
new file mode 100644
index 0000000..2de9573
--- /dev/null
+++ b/recipes-security/selinux/libselinux/0001-libselinux-mount-selinuxfs-noexec-and-nosuid.patch
@@ -0,0 +1,36 @@
+From a94f3791ddd3155dde94ed48ffd1566fbe8bf4e2 Mon Sep 17 00:00:00 2001
+From: Topi Miettinen <toiwoton@...>
+Date: Tue, 28 Apr 2020 14:11:42 +0300
+Subject: [PATCH] libselinux: mount selinuxfs noexec and nosuid
+
+Mount selinuxfs with mount flags noexec and nosuid. It's not likely
+that this has any effect, but it's visually more pleasing.
+
+Option nodev can't be used because of /sys/fs/selinux/null device,
+which is used by Android.
+
+Signed-off-by: Topi Miettinen <toiwoton@...>
+Acked-by: Stephen Smalley <stephen.smalley.work@...>
+---
+ libselinux/src/load_policy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Upstream-Status: Backport [git https://github.com/SELinuxProject/selinux/commit/7eaea214a0a5d9e3fb517152ac6162449ed3ef40]
+
+diff --git a/src/load_policy.c b/src/load_policy.c
+index 9e75292d..ccf73c95 100644
+--- a/src/load_policy.c
++++ b/src/load_policy.c
+@@ -281,7 +281,8 @@ int selinux_init_load_policy(int *enforce)
+ const char *mntpoint = NULL;
+ /* First make sure /sys is mounted */
+ if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
+- if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
++ /* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
++ if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
+ mntpoint = SELINUXMNT;
+ } else {
+ /* check old mountpoint */
+--
+2.33.0
+
diff --git a/recipes-security/selinux/libselinux_3.0.bb b/recipes-security/selinux/libselinux_3.0.bb
index 4a60962..40defcd 100644
--- a/recipes-security/selinux/libselinux_3.0.bb
+++ b/recipes-security/selinux/libselinux_3.0.bb
@@ -13,4 +13,5 @@ SRC_URI += "\
file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
file://0001-Fix-building-against-musl-and-uClibc-libc-libraries.patch \
file://0001-Fix-NULL-pointer-use-in-selinux_restorecon_set_sehandle.patch \
+ file://0001-libselinux-mount-selinuxfs-noexec-and-nosuid.patch \
"
--
2.33.0

Join yocto@lists.yoctoproject.org to automatically receive all group messages.