From: Stephen Smalley <sds@tycho.nsa.gov>
To: Hridya Valsaraju <hridya@google.com>
Cc: Paul Moore <paul@paul-moore.com>,
Eric Paris <eparis@parisplace.org>,
selinux@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
Android Kernel Team <kernel-team@android.com>,
Jeff Vander Stoep <jeffv@google.com>,
Mark Salyzyn <salyzyn@android.com>
Subject: Re: [PATCH] security: selinux: allow per-file labelling for binderfs
Date: Mon, 6 Jan 2020 14:33:58 -0500 [thread overview]
Message-ID: <c1354989-1e08-1433-f2c0-5984da341cf5@tycho.nsa.gov> (raw)
In-Reply-To: <CA+wgaPMHWOVYo_pVeYuvj6CrQOgy9=vQco+tnGHjPX3=CLh5wA@mail.gmail.com>
On 1/6/20 2:06 PM, Hridya Valsaraju wrote:
> On Mon, Jan 6, 2020 at 10:33 AM 'Stephen Smalley' via kernel-team
> <kernel-team@android.com> wrote:
>>
>> On 1/6/20 1:13 PM, Hridya Valsaraju wrote:
>>> This patch allows genfscon per-file labeling for binderfs.
>>> This is required to have separate permissions to allow
>>> access to binder, hwbinder and vndbinder devices which are
>>> relocating to binderfs.
>>>
>>> Acked-by: Jeff Vander Stoep <jeffv@google.com>
>>> Acked-by: Mark Salyzyn <salyzyn@android.com>
>>> Signed-off-by: Hridya Valsaraju <hridya@google.com>
>>
>> Do you want binderfs to also support userspace labeling of files via
>> setxattr()? If so, you'll want to also add it to
>> selinux_is_genfs_special_handling() as well.
>
> Thank you for the quick response Stephen :) I cannot think of a
> use-case for the userspace labelling of files in binderfs via
> setxattr() as of now. I
> will make the change if one comes up!
Ok, then you can include my:
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> Thanks,
> Hridya
>
>
>>
>>> ---
>>> security/selinux/hooks.c | 1 +
>>> 1 file changed, 1 insertion(+)
>>>
>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>> index 116b4d644f68..3f0669a708e9 100644
>>> --- a/security/selinux/hooks.c
>>> +++ b/security/selinux/hooks.c
>>> @@ -752,6 +752,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>>>
>>> if (!strcmp(sb->s_type->name, "debugfs") ||
>>> !strcmp(sb->s_type->name, "tracefs") ||
>>> + !strcmp(sb->s_type->name, "binderfs") ||
>>> !strcmp(sb->s_type->name, "pstore"))
>>> sbsec->flags |= SE_SBGENFS;
>>>
>>>
>>
>> --
>> To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com.
>>
next prev parent reply other threads:[~2020-01-06 19:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-06 18:13 [PATCH] security: selinux: allow per-file labelling for binderfs Hridya Valsaraju
2020-01-06 18:34 ` Stephen Smalley
2020-01-06 19:06 ` Hridya Valsaraju
2020-01-06 19:33 ` Stephen Smalley [this message]
2020-01-06 22:25 ` Hridya Valsaraju
2020-01-07 2:13 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c1354989-1e08-1433-f2c0-5984da341cf5@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=eparis@parisplace.org \
--cc=hridya@google.com \
--cc=jeffv@google.com \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=salyzyn@android.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.