1 files changed, 24 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a86d537eb79b..19be9d39c742 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -830,6 +830,28 @@ static int selinux_set_mnt_opts(struct super_block *sb,
                        goto out;
                }
        }
+        /*
+         * If this is a user namespace mount, no contexts are allowed
+         * on the command line and security labels must be ignored.
+         */
+        if (sb->s_user_ns != &init_user_ns) {
+                if (context_sid || fscontext_sid || rootcontext_sid ||
+                    defcontext_sid) {
+                        rc = -EACCES;
+                        goto out;
+                }
+                if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
+                        sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
+                        rc = security_transition_sid(current_sid(), current_sid(),
+                                                     SECCLASS_FILE, NULL,
+                                                     &sbsec->mntpoint_sid);
+                        if (rc)
+                                goto out;
+                }
+                goto out_set_opts;
+        }
        /* sets the context of the superblock for the fs being mounted. */
        if (fscontext_sid) {
                rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
@@ -898,6 +920,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
                sbsec->def_sid = defcontext_sid;
        }
+out_set_opts:
        rc = sb_finish_set_opts(sb);
 out:
        mutex_unlock(&sbsec->lock);
@@ -2259,7 +2282,7 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
                            const struct task_security_struct *new_tsec)
 {
        int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
-        int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
+        int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
        int rc;
        if (!nnp && !nosuid)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a86d537eb79b..19be9d39c742 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -830,6 +830,28 @@ static int selinux_set_mnt_opts(struct super_block *sb,
830	goto out;	830	goto out;
831	}	831	}
832	}	832	}
		833
		834	/*
		835	* If this is a user namespace mount, no contexts are allowed
		836	* on the command line and security labels must be ignored.
		837	*/
		838	if (sb->s_user_ns != &init_user_ns) {
		839	if (context_sid \|\| fscontext_sid \|\| rootcontext_sid \|\|
		840	defcontext_sid) {
		841	rc = -EACCES;
		842	goto out;
		843	}
		844	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
		845	sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
		846	rc = security_transition_sid(current_sid(), current_sid(),
		847	SECCLASS_FILE, NULL,
		848	&sbsec->mntpoint_sid);
		849	if (rc)
		850	goto out;
		851	}
		852	goto out_set_opts;
		853	}
		854
833	/* sets the context of the superblock for the fs being mounted. */	855	/* sets the context of the superblock for the fs being mounted. */
834	if (fscontext_sid) {	856	if (fscontext_sid) {
835	rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);	857	rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
@@ -898,6 +920,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
898	sbsec->def_sid = defcontext_sid;	920	sbsec->def_sid = defcontext_sid;
899	}	921	}
900		922
		923	out_set_opts:
901	rc = sb_finish_set_opts(sb);	924	rc = sb_finish_set_opts(sb);
902	out:	925	out:
903	mutex_unlock(&sbsec->lock);	926	mutex_unlock(&sbsec->lock);
@@ -2259,7 +2282,7 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2259	const struct task_security_struct *new_tsec)	2282	const struct task_security_struct *new_tsec)
2260	{	2283	{
2261	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);	2284	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2262	int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);	2285	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2263	int rc;	2286	int rc;
2264		2287
2265	if (!nnp && !nosuid)	2288	if (!nnp && !nosuid)