All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v3] selinux: add security in-core xattr support for tracefs
@ 2016-12-06 18:27 william.c.roberts
  2016-12-06 20:41 ` Stephen Smalley
  2016-12-07 23:38 ` Paul Moore
  0 siblings, 2 replies; 3+ messages in thread
From: william.c.roberts @ 2016-12-06 18:27 UTC (permalink / raw)
  To: sds, nnk, paul, selinux; +Cc: Yongqin Liu, William Roberts

From: Yongqin Liu <yongqin.liu@linaro.org>

Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate filesystem
SELinux needs to be updated to also support setting SELinux labels
on tracefs inodes.  This is required for compatibility in Android
when moving to Linux 4.1 or newer.

Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 security/selinux/hooks.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 09fd610..24bd84d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -491,6 +491,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
 		!strcmp(sb->s_type->name, "sysfs") ||
 		!strcmp(sb->s_type->name, "pstore") ||
 		!strcmp(sb->s_type->name, "debugfs") ||
+		!strcmp(sb->s_type->name, "tracefs") ||
 		!strcmp(sb->s_type->name, "rootfs");
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v3] selinux: add security in-core xattr support for tracefs
  2016-12-06 18:27 [PATCH v3] selinux: add security in-core xattr support for tracefs william.c.roberts
@ 2016-12-06 20:41 ` Stephen Smalley
  2016-12-07 23:38 ` Paul Moore
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2016-12-06 20:41 UTC (permalink / raw)
  To: william.c.roberts, nnk, paul, selinux; +Cc: Yongqin Liu

On 12/06/2016 01:27 PM, william.c.roberts@intel.com wrote:
> From: Yongqin Liu <yongqin.liu@linaro.org>
> 
> Since kernel 4.1 ftrace is supported as a new separate filesystem. It
> gets automatically mounted by the kernel under the old path
> /sys/kernel/debug/tracing. Because it lives now on a separate filesystem
> SELinux needs to be updated to also support setting SELinux labels
> on tracefs inodes.  This is required for compatibility in Android
> when moving to Linux 4.1 or newer.
> 
> Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

I'm ok with this under the view that it is needed for compatibility and
the general purpose solution may take some time to implement and then
will further require updated policy toolchain and policy.  Of course, it
would be nice to start that sooner rather than later...

> ---
>  security/selinux/hooks.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 09fd610..24bd84d 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -491,6 +491,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
>  		!strcmp(sb->s_type->name, "sysfs") ||
>  		!strcmp(sb->s_type->name, "pstore") ||
>  		!strcmp(sb->s_type->name, "debugfs") ||
> +		!strcmp(sb->s_type->name, "tracefs") ||
>  		!strcmp(sb->s_type->name, "rootfs");
>  }
>  
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH v3] selinux: add security in-core xattr support for tracefs
  2016-12-06 18:27 [PATCH v3] selinux: add security in-core xattr support for tracefs william.c.roberts
  2016-12-06 20:41 ` Stephen Smalley
@ 2016-12-07 23:38 ` Paul Moore
  1 sibling, 0 replies; 3+ messages in thread
From: Paul Moore @ 2016-12-07 23:38 UTC (permalink / raw)
  To: william.c.roberts; +Cc: Stephen Smalley, nnk, selinux, Yongqin Liu

On Tue, Dec 6, 2016 at 1:27 PM,  <william.c.roberts@intel.com> wrote:
> From: Yongqin Liu <yongqin.liu@linaro.org>
>
> Since kernel 4.1 ftrace is supported as a new separate filesystem. It
> gets automatically mounted by the kernel under the old path
> /sys/kernel/debug/tracing. Because it lives now on a separate filesystem
> SELinux needs to be updated to also support setting SELinux labels
> on tracefs inodes.  This is required for compatibility in Android
> when moving to Linux 4.1 or newer.
>
> Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>
> ---
>  security/selinux/hooks.c | 1 +
>  1 file changed, 1 insertion(+)

Merged for v4.11, thanks.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 09fd610..24bd84d 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -491,6 +491,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
>                 !strcmp(sb->s_type->name, "sysfs") ||
>                 !strcmp(sb->s_type->name, "pstore") ||
>                 !strcmp(sb->s_type->name, "debugfs") ||
> +               !strcmp(sb->s_type->name, "tracefs") ||
>                 !strcmp(sb->s_type->name, "rootfs");
>  }
>
> --
> 2.7.4
>



-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-12-07 23:38 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-06 18:27 [PATCH v3] selinux: add security in-core xattr support for tracefs william.c.roberts
2016-12-06 20:41 ` Stephen Smalley
2016-12-07 23:38 ` Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.