On 04/29/2015 11:40 AM, William Roberts wrote: > > On Apr 29, 2015 5:27 AM, "Stephen Smalley" <[email protected] > <mailto:[email protected]>> wrote: >> >> On 04/28/2015 07:01 PM, William Roberts wrote: >> > Stephen what's the effort to get option 3 done? >> >> Probably just requires changing sysfs to call the >> security_inode_init_security() hook when creating a new inode so that >> the usual logic is applied in labeling new files. Simple, but may have >> unintended side effects. >> > > The side effects might be interesting. Looks like sysfs got refactored > to use kernfs and cgroups is based off of that code as well. The > kernfs_init_inode() routine looks promising. > > Also looks like we can do it in the sysfs (perhaps in sysfs_create_file) > only layer as the Kernfs objects seem to be housing an inode that you > can get with iget_locked(). However it requires the super block and its > not quite obvious to me how to traverse their abstractions offhand and > ensure namespaces are properly handled.
Yes, I'd suggest hooking kernfs. cgroup is another case where we'd like to improve granularity of labeling. I think it did get xattr support at some point and with the refactoring on top of kernfs, I think it still has that. So it might be possible to restorecon it after mount on modern kernels and label it that way. Not something I've looked into much. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
