Merge tag 'linux-kselftest-4.11-rc1-urgent_fix' of git://git.kernel.org/pub/scm/linux...

[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e6b1b741032192f437eb331392cd05ffc98ce1cd..0a4b4b040e0ab0e2ea954744b4d3d023481896d1 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -480,12 +480,13 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
                sbsec->behavior == SECURITY_FS_USE_NATIVE ||
                /* Special handling. Genfs but also in-core setxattr handler */
                !strcmp(sb->s_type->name, "sysfs") ||
-               !strcmp(sb->s_type->name, "cgroup") ||
-               !strcmp(sb->s_type->name, "cgroup2") ||
                !strcmp(sb->s_type->name, "pstore") ||
                !strcmp(sb->s_type->name, "debugfs") ||
                !strcmp(sb->s_type->name, "tracefs") ||
-               !strcmp(sb->s_type->name, "rootfs");
+               !strcmp(sb->s_type->name, "rootfs") ||
+               (selinux_policycap_cgroupseclabel &&
+                (!strcmp(sb->s_type->name, "cgroup") ||
+                 !strcmp(sb->s_type->name, "cgroup2")));
 }
 
 static int sb_finish_set_opts(struct super_block *sb)
@@ -2399,8 +2400,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
 
                /* Make sure that anyone attempting to ptrace over a task that
                 * changes its SID has the appropriate permit */
-               if (bprm->unsafe &
-                   (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
+               if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
                        u32 ptsid = ptrace_parent_sid();
                        if (ptsid != 0) {
                                rc = avc_has_perm(ptsid, new_tsec->sid,