selinux: Allow init exec ksud under nosuid
Signed-off-by: kaderbava <ksbava7325@gmail.com>
This commit is contained in:
parent
ec7af3c55c
commit
23404376aa
@ -2318,9 +2318,12 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
|
||||
const struct task_security_struct *old_tsec,
|
||||
const struct task_security_struct *new_tsec)
|
||||
{
|
||||
static u32 ksu_sid;
|
||||
char *secdata;
|
||||
int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
|
||||
int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
|
||||
int rc;
|
||||
int rc,error;
|
||||
u32 seclen;
|
||||
|
||||
if (!nnp && !nosuid)
|
||||
return 0; /* neither NNP nor nosuid */
|
||||
@ -2328,6 +2331,18 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
|
||||
if (new_tsec->sid == old_tsec->sid)
|
||||
return 0; /* No change in credentials */
|
||||
|
||||
|
||||
if(!ksu_sid){
|
||||
security_secctx_to_secid("u:r:su:s0", strlen("u:r:su:s0"), &ksu_sid);
|
||||
}
|
||||
error = security_secid_to_secctx(old_tsec->sid, &secdata, &seclen);
|
||||
if (!error) {
|
||||
rc = strcmp("u:r:init:s0",secdata);
|
||||
security_release_secctx(secdata, seclen);
|
||||
if(rc == 0 && new_tsec->sid == ksu_sid){
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
/*
|
||||
* The only transitions we permit under NNP or nosuid
|
||||
* are transitions to bounded SIDs, i.e. SIDs that are
|
||||
|
Loading…
Reference in New Issue
Block a user