[PATCH] sandbox/seunshare: remount /tmp and /var/tmp with the proper flags

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] sandbox/seunshare: remount /tmp and /var/tmp with the proper flags
@ 2026-05-12 20:06 Stephen Smalley
  2026-05-14 12:45 ` Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2026-05-12 20:06 UTC (permalink / raw)
  To: selinux; +Cc: jwcart2, plautrba, omosnace, paul, perfinion, Stephen Smalley

mount(2) with MS_BIND ignores any nosuid/nodev/noexec flags, so
seunshare_mount() was never setting those on the /tmp and
/var/tmp mounts. Fix seunshare_mount() to remount them
with those flags after the bind mount, which does
set them properly.

Test:
mkdir tmp
seunshare -t tmp /bin/bash
cp /bin/bash /tmp
/tmp/bash

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 sandbox/seunshare.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
index b9c85bf2..985e0cfb 100644
--- a/sandbox/seunshare.c
+++ b/sandbox/seunshare.c
@@ -260,26 +260,32 @@ static int verify_shell(const char *shell_name)
  */
 static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
 {
-	int flags = 0;
+	int bind_flags = MS_BIND;
+	int sec_flags = 0;
 	int is_tmp = 0;
 
 	if (verbose)
 		printf(_("Mounting %s on %s\n"), src, dst);
 
 	if (strcmp("/tmp", dst) == 0) {
-		flags = flags | MS_NODEV | MS_NOSUID | MS_NOEXEC;
+		sec_flags = MS_NODEV | MS_NOSUID | MS_NOEXEC;
 		is_tmp = 1;
 	}
 
 	if (strncmp("/run/user", dst, 9) == 0) {
-		flags = flags | MS_REC;
+		bind_flags |= MS_REC;
 	}
 
 	/* mount directory */
-	if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
+	if (mount(src, dst, NULL, bind_flags, NULL) < 0) {
 		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
 		return -1;
 	}
+	/* remount with security flags, ignored on original bind mount */
+	if (sec_flags && mount(NULL, dst, NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
+		fprintf(stderr, _("Failed to remount %s: %m\n"), dst);
+		return -1;
+	}
 
 	/* verify whether we mounted what we expected to mount */
 	if (verify_directory(dst, src_st, NULL) < 0) return -1;
@@ -289,10 +295,15 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
 		if (verbose)
 			printf(_("Mounting /tmp on /var/tmp\n"));
 
-		if (mount("/tmp", "/var/tmp",  NULL, MS_BIND | flags, NULL) < 0) {
+		if (mount("/tmp", "/var/tmp",  NULL, MS_BIND, NULL) < 0) {
 			fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
 			return -1;
 		}
+		/* remount with security flags, ignored on original bind mount */
+		if (mount(NULL, "/var/tmp", NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
+			fprintf(stderr, _("Failed to remount /var/tmp: %m\n"));
+			return -1;
+		}
 	}
 
 	return 0;
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] sandbox/seunshare: remount /tmp and /var/tmp with the proper flags
  2026-05-12 20:06 [PATCH] sandbox/seunshare: remount /tmp and /var/tmp with the proper flags Stephen Smalley
@ 2026-05-14 12:45 ` Petr Lautrbach
  2026-05-15 14:11   ` Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2026-05-14 12:45 UTC (permalink / raw)
  To: Stephen Smalley, selinux
  Cc: jwcart2, omosnace, paul, perfinion, Stephen Smalley

Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> mount(2) with MS_BIND ignores any nosuid/nodev/noexec flags, so
> seunshare_mount() was never setting those on the /tmp and
> /var/tmp mounts. Fix seunshare_mount() to remount them
> with those flags after the bind mount, which does
> set them properly.
>
> Test:
> mkdir tmp
> seunshare -t tmp /bin/bash
> cp /bin/bash /tmp
> /tmp/bash
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Acked-by: Petr Lautrbach <lautrbach@redhat.com>

> ---
>  sandbox/seunshare.c | 21 ++++++++++++++++-----
>  1 file changed, 16 insertions(+), 5 deletions(-)
>
> diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
> index b9c85bf2..985e0cfb 100644
> --- a/sandbox/seunshare.c
> +++ b/sandbox/seunshare.c
> @@ -260,26 +260,32 @@ static int verify_shell(const char *shell_name)
>   */
>  static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
>  {
> -	int flags = 0;
> +	int bind_flags = MS_BIND;
> +	int sec_flags = 0;
>  	int is_tmp = 0;
>  
>  	if (verbose)
>  		printf(_("Mounting %s on %s\n"), src, dst);
>  
>  	if (strcmp("/tmp", dst) == 0) {
> -		flags = flags | MS_NODEV | MS_NOSUID | MS_NOEXEC;
> +		sec_flags = MS_NODEV | MS_NOSUID | MS_NOEXEC;
>  		is_tmp = 1;
>  	}
>  
>  	if (strncmp("/run/user", dst, 9) == 0) {
> -		flags = flags | MS_REC;
> +		bind_flags |= MS_REC;
>  	}
>  
>  	/* mount directory */
> -	if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
> +	if (mount(src, dst, NULL, bind_flags, NULL) < 0) {
>  		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
>  		return -1;
>  	}
> +	/* remount with security flags, ignored on original bind mount */
> +	if (sec_flags && mount(NULL, dst, NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
> +		fprintf(stderr, _("Failed to remount %s: %m\n"), dst);
> +		return -1;
> +	}
>  
>  	/* verify whether we mounted what we expected to mount */
>  	if (verify_directory(dst, src_st, NULL) < 0) return -1;
> @@ -289,10 +295,15 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
>  		if (verbose)
>  			printf(_("Mounting /tmp on /var/tmp\n"));
>  
> -		if (mount("/tmp", "/var/tmp",  NULL, MS_BIND | flags, NULL) < 0) {
> +		if (mount("/tmp", "/var/tmp",  NULL, MS_BIND, NULL) < 0) {
>  			fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
>  			return -1;
>  		}
> +		/* remount with security flags, ignored on original bind mount */
> +		if (mount(NULL, "/var/tmp", NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
> +			fprintf(stderr, _("Failed to remount /var/tmp: %m\n"));
> +			return -1;
> +		}
>  	}
>  
>  	return 0;
> -- 
> 2.54.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] sandbox/seunshare: remount /tmp and /var/tmp with the proper flags
  2026-05-14 12:45 ` Petr Lautrbach
@ 2026-05-15 14:11   ` Petr Lautrbach
  0 siblings, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2026-05-15 14:11 UTC (permalink / raw)
  To: Stephen Smalley, selinux
  Cc: jwcart2, omosnace, paul, perfinion, Stephen Smalley

Petr Lautrbach <plautrba@redhat.com> writes:

> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>
>> mount(2) with MS_BIND ignores any nosuid/nodev/noexec flags, so
>> seunshare_mount() was never setting those on the /tmp and
>> /var/tmp mounts. Fix seunshare_mount() to remount them
>> with those flags after the bind mount, which does
>> set them properly.
>>
>> Test:
>> mkdir tmp
>> seunshare -t tmp /bin/bash
>> cp /bin/bash /tmp
>> /tmp/bash
>>
>> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>
> Acked-by: Petr Lautrbach <lautrbach@redhat.com>

Merged, thanks!

>> ---
>>  sandbox/seunshare.c | 21 ++++++++++++++++-----
>>  1 file changed, 16 insertions(+), 5 deletions(-)
>>
>> diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
>> index b9c85bf2..985e0cfb 100644
>> --- a/sandbox/seunshare.c
>> +++ b/sandbox/seunshare.c
>> @@ -260,26 +260,32 @@ static int verify_shell(const char *shell_name)
>>   */
>>  static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
>>  {
>> -	int flags = 0;
>> +	int bind_flags = MS_BIND;
>> +	int sec_flags = 0;
>>  	int is_tmp = 0;
>>  
>>  	if (verbose)
>>  		printf(_("Mounting %s on %s\n"), src, dst);
>>  
>>  	if (strcmp("/tmp", dst) == 0) {
>> -		flags = flags | MS_NODEV | MS_NOSUID | MS_NOEXEC;
>> +		sec_flags = MS_NODEV | MS_NOSUID | MS_NOEXEC;
>>  		is_tmp = 1;
>>  	}
>>  
>>  	if (strncmp("/run/user", dst, 9) == 0) {
>> -		flags = flags | MS_REC;
>> +		bind_flags |= MS_REC;
>>  	}
>>  
>>  	/* mount directory */
>> -	if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
>> +	if (mount(src, dst, NULL, bind_flags, NULL) < 0) {
>>  		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
>>  		return -1;
>>  	}
>> +	/* remount with security flags, ignored on original bind mount */
>> +	if (sec_flags && mount(NULL, dst, NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
>> +		fprintf(stderr, _("Failed to remount %s: %m\n"), dst);
>> +		return -1;
>> +	}
>>  
>>  	/* verify whether we mounted what we expected to mount */
>>  	if (verify_directory(dst, src_st, NULL) < 0) return -1;
>> @@ -289,10 +295,15 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
>>  		if (verbose)
>>  			printf(_("Mounting /tmp on /var/tmp\n"));
>>  
>> -		if (mount("/tmp", "/var/tmp",  NULL, MS_BIND | flags, NULL) < 0) {
>> +		if (mount("/tmp", "/var/tmp",  NULL, MS_BIND, NULL) < 0) {
>>  			fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
>>  			return -1;
>>  		}
>> +		/* remount with security flags, ignored on original bind mount */
>> +		if (mount(NULL, "/var/tmp", NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
>> +			fprintf(stderr, _("Failed to remount /var/tmp: %m\n"));
>> +			return -1;
>> +		}
>>  	}
>>  
>>  	return 0;
>> -- 
>> 2.54.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-15 14:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-12 20:06 [PATCH] sandbox/seunshare: remount /tmp and /var/tmp with the proper flags Stephen Smalley
2026-05-14 12:45 ` Petr Lautrbach
2026-05-15 14:11   ` Petr Lautrbach

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.