On 06/02/2015 02:18 PM, Roberts, William C wrote: > Given that rootfs supports restorecon can we kill seclabel and just > label things in sbin and set up transitions? Can we perhaps support > genfscon path name labeling like in sysfs/procfs and thus avoid the need > for a restorecon? > > > > Any objections to this or preference in approach?
Just to note, not all uses of seclabel are for /sbin or even rootfs binaries. Some are for e.g. the console service shell and shell scripts run from /system/bin. Could probably eliminate those as well by labeling each script file and directly executing them (also requires ensuring that their file mode is executable), but that would need to be done. genfscon would not be fully safe in general for rootfs because its directory tree is mutable by userspace, i.e. directories and files within it can be created, delete, linked, and renamed, so a process could potentially cause a file or directory to become accessible under a different label via directory manipulation. Admittedly however that would only be possible for processes with the necessary permissions, and we only allow init to write rootfs:dir. With all of the recent additions to the list of filesystem types that support per-file labeling via genfscon or by using setxattr on a genfscon-labeled filesystem, I added an item to the todo list to generalize that support and take it to the policy so that we can specify the set of filesystem types in policy, see the tail of: https://bitbucket.org/seandroid/wiki/wiki/ToDo _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
