Re: [PATCH v3 2/7] selinux: Add accessor functions for inode->i_security

On Tue, Oct 27, 2015 at 6:20 PM, Stephen Smalley wrote: > On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: >> @@ -2217,7 +2231,7 @@ static int selinux_bprm_set_creds(struct >> linux_binprm *bprm) >> >> old_tsec = current_security(); >> new_tsec =

Re: [PATCH 0/7] devcg: device cgroup extension for rdma resource

Hi, I finally got some chance and progress on redesigning rdma cgroup controller for the most use cases that we discussed in this email chain. I am posting RFC and soon code in new email. Parav On Sun, Sep 20, 2015 at 4:05 PM, Haggai Eran wrote: > On 15/09/2015 06:45,

Re: [PATCH v3 3/7] selinux: Get rid of file_path_has_perm

On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote: > On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley wrote: >> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: >>> >>> Use path_has_perm directly instead. >> >> >> This reverts: >> >> commit

Re: [PATCH v3 3/7] selinux: Get rid of file_path_has_perm

On 10/28/2015 01:31 PM, Stephen Smalley wrote: On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote: On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley wrote: On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Use path_has_perm directly instead. This reverts: commit

Re: [PATCH v2] selinux: export validatetrans decisions

On 10/27/2015 04:48 PM, Andrew Perepechko wrote: Make validatetrans decisions available through selinuxfs. "/validatetrans" is added to selinuxfs for this purpose. This functionality is needed by file system servers implemented in userspace or kernelspace without the VFS layer. Writing

Re: [PATCH v3 0/7] Inode security label invalidation

On Wed, Oct 28, 2015 at 10:12 PM, Paul Moore wrote: > On Mon, Oct 26, 2015 at 5:15 PM, Andreas Gruenbacher > wrote: >> Here is another version of the patch queue to make gfs2 and similar file >> systems work with SELinux. As suggested by Stephen Smalley

[PATCH v4 1/7] selinux: Remove unused variable in selinux_inode_init_security

Signed-off-by: Andreas Gruenbacher Acked-by: Stephen Smalley --- security/selinux/hooks.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e4369d8..fc8f626 100644 ---

[PATCH v4 6/7] selinux: Revalidate invalid inode security labels

When fetching an inode's security label, check if it is still valid, and try reloading it if it is not. Reloading will fail when we are in RCU context which doesn't allow sleeping, or when we can't find a dentry for the inode. (Reloading happens via iop->getxattr which takes a dentry parameter.)

[PATCH v4 7/7] gfs2: Invalide security labels of inodes when they go invalid

When gfs2 releases the glock of an inode, it must invalidate all information cached for that inode, including the page cache and acls. Use the new security_inode_invalidate_secctx hook to also invalidate security labels in that case. These items will be reread from disk when needed after