Re: [PATCH] selinux-testsuite: Update binder for kernel 5.4 support

From: Richard Haines <richard_c_haines@btinternet.com>
To: Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@vger.kernel.org, Greg KH <gregkh@linuxfoundation.org>
Subject: Re: [PATCH] selinux-testsuite: Update binder for kernel 5.4 support
Date: Wed, 09 Oct 2019 16:49:48 +0100	[thread overview]
Message-ID: <f534d405a0ff00169e93673ce26de8cc7a695874.camel@btinternet.com> (raw)
In-Reply-To: <CAHC9VhTmzp=miTR+aSvL+onOtd1P5=Ln1EKjLqFFuh7wkr1OYA@mail.gmail.com>

On Wed, 2019-10-09 at 10:03 -0400, Paul Moore wrote:
> On Wed, Oct 9, 2019 at 9:56 AM Stephen Smalley <sds@tycho.nsa.gov>
> wrote
> > On 10/8/19 5:43 PM, Paul Moore wrote:
> > > On Mon, Oct 7, 2019 at 12:35 PM Richard Haines
> > > <richard_c_haines@btinternet.com> wrote:
> > > > On Mon, 2019-10-07 at 16:17 +0100, Richard Haines wrote:
> > > > > On Mon, 2019-10-07 at 10:28 -0400, Stephen Smalley wrote:
> > > > > > On 10/6/19 4:51 AM, Richard Haines wrote:
> > > > > > > Kernel 5.4 commit
> > > > > > > ca2864c6e8965c37df97f11e6f99e83e09806b1c
> > > > > > > ("binder: Add
> > > > > > > default binder devices through binderfs when
> > > > > > > configured"),
> > > > > > > changed
> > > > > > > the way
> > > > > > > the binder device is initialised and no longer
> > > > > > > automatically
> > > > > > > generates
> > > > > > > /dev/binder when CONFIG_ANDROID_BINDERFS=y.
> > > > > > 
> > > > > > This seems like a userspace ABI break, no?  Same kernel
> > > > > > config
> > > > > > before
> > > > > > and after this commit yields different behavior for
> > > > > > /dev/binder.  I
> > > > > > suppose one might argue that one would only enable
> > > > > > CONFIG_ANDROID_BINDERFS if one wanted to use it instead of
> > > > > > /dev/binder
> > > > > > but the original commit that introduced binderfs
> > > > > > specifically said
> > > > > > that
> > > > > > backward compatibility was preserved.
> > > > > I'll need to check this further, but from what I've seen so
> > > > > far, is
> > > > > that the /dev/binder is not available until you mount
> > > > > binderfs etc.
> > > > > that's why Paul had the failure on 5.4 as before then is was
> > > > > available
> > > > > when the binder driver first initialised.
> > > > 
> > > > To confirm tests using kernel 5.4-rc1
> > > > 
> > > > Test 1 config:
> > > > CONFIG_ANDROID=y
> > > > CONFIG_ANDROID_BINDER_IPC=y
> > > > CONFIG_ANDROID_BINDERFS=y
> > > > CONFIG_ANDROID_BINDER_DEVICES="binder"
> > > > 
> > > > On boot no /dev/binder
> > > > 
> > > > To get this you have to:
> > > > mkdir /dev/binderfs 2>/dev/null
> > > > mount -t binder binder /dev/binderfs -o
> > > > context=system_u:object_r:device_t:s0 2>/dev/null
> > > > 
> > > > You then have devs:
> > > > binder and binder-control
> > > > 
> > > > Test 2 config:
> > > > CONFIG_ANDROID=y
> > > > CONFIG_ANDROID_BINDER_IPC=y
> > > > # CONFIG_ANDROID_BINDERFS is not set
> > > > CONFIG_ANDROID_BINDER_DEVICES="binder"
> > > > 
> > > > On boot you have /dev/binder
> > > 
> > > Disabling binderfs during build is probably not the smart thing
> > > to do
> > > considering where the world is at with namespaces/containers,
> > > whatever
> > > we do we should make sure the tests work with
> > > CONFIG_ANDROID_BINDERFS=y.
> > 
> > Yes, I think the question is just whether we want to have the tests
> > use
> > binderfs for kernel >= 5.0 (i.e. the point at which binderfs was
> > first
> > introduced) or for kernel >= 5.4 (i.e. the point at which binderfs
> > usage
> > became mandatory if you enable it in your config because
> > /dev/binder is
> > no longer automatically created).  I'm fine either way.
> 
> Agreed in that it probably doesn't matter all that much.  I might be
> tempted to start with v5.4 over v5.0 since the old way still worked
> on
> v5.0 through v5.3 and it might be nice to notice if that changes in a
> v5.{0..3}.Z release.
> 
Thanks for the feedback, I will start using binderfs from 5.4.