From: Yu Watanabe Date: Fri, 25 Jun 2021 06:30:13 +0000 (+0900) Subject: core: do not set nosuid mount option when SELinux is enabled X-Git-Tag: v249-rc2~6^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5181630f2663eceea70e783cc141c6d51bbeeb1a;p=thirdparty%2Fsystemd.git core: do not set nosuid mount option when SELinux is enabled The mount option has special meaning when SELinux is enabled. To make NoNewPrivileges=yes not break SELinux enabled systems, let's not set the mount flag on such systems. --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 96d18dd93bd..b17635c5d24 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -676,9 +676,10 @@ CapabilityBoundingSet=~CAP_B CAP_C SystemCallFilter=, or SystemCallLog= are specified. Note that even if this setting is overridden by them, systemctl show shows the original value of this setting. In case the - service will be run in a new mount namespace anyway, all file systems are mounted with MS_NOSUID - flag. Also see - No New Privileges Flag. + service will be run in a new mount namespace anyway and SELinux is disabled, all file systems + are mounted with MS_NOSUID flag. Also see + No New + Privileges Flag. diff --git a/src/core/execute.c b/src/core/execute.c index dcf683f68b9..a83b1b56948 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3191,7 +3191,7 @@ static int apply_mount_namespace( .proc_subset = context->proc_subset, .private_ipc = context->private_ipc || context->ipc_namespace_path, /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */ - .mount_nosuid = context->no_new_privileges, + .mount_nosuid = context->no_new_privileges && !mac_selinux_use(), }; } else if (!context->dynamic_user && root_dir) /*