On Tue, Aug 29, 2017 at 5:50 AM Stephen Smalley <[email protected]> wrote:
> On Mon, 2017-08-28 at 14:58 -0700, Jeffrey Vander Stoep via Selinux > wrote: > > Genfs_contexts does not label symlinks in sysfs, instead it leaves > > them with the default “sysfs” label. Is this a bug? > > We excluded symlinks from genfscon labeling back when only proc was > using genfscon for per-file labeling and we encountered a compatibility > problem when /proc/net was moved to /proc/self/net for network > namespaces (see commit cited below). Suddenly applications were getting > proc_net_t:lnk_file read denials when accessing /proc/net because > existing policies only allowed proc_t:lnk_file read and > proc_net_t:dir/file read, so new kernel + old policy broke userspace, > which is not allowed by Linus. At the time, I couldn't see a use case > where we would need to support per-file labeling of symlinks in proc, > since the only meaningful operation on a proc symlink is read/getattr. > The real access controls are to the individual directories/files, not > the symlinks. > > We previously allowed read on all symlinks with "sysfs" label. I've added getattr here: https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/470500/ Sounds like that should be sufficient to avoid breaking anything, at least for sysfs. > Do you truly need per-file labeling of symlinks in sysfs? What's the > use case? I guess it is an inconsistency between the support for sysfs > labeling via setxattr vs genfscon, but there are likely other more > significant inconsistencies due to the support for pathname regexes in > file_contexts versus pathname prefixes in genfscon, e.g. see > https://github.com/SELinuxProject/selinux-kernel/issues/29 > > That said, I agree it is an ugly hack and should likely be removed if > it doesn't cause compatibility problems (we'd need to test on RHEL 6/7 > at least). > > Have you measured to see the impact of switching from setxattr to > genfscon for sysfs labeling? > Yes, a couple of data points 1. Moving sysfs and debugfs to genfscon resulted in ~200 ms faster boot time on Marlin. 2. Also on Marlin, coming out of suspend with screen off (which happens somewhat regularly) takes about 500 ms. We were spending ~120 ms of that in restorecon of /sys/devices/system/cpu. Moving to genfscon reduced the restorecon time from 120 ms to 3 ms, resulting in a significant improvement in screen-off battery life. > > commit ea6b184f7d521a503ecab71feca6e4057562252b > Author: Stephen Smalley <[email protected]> > Date: Mon Sep 22 15:41:19 2008 -0400 > > selinux: use default proc sid on symlinks > > As we are not concerned with fine-grained control over reading of > symlinks in proc, always use the default proc SID for all proc > symlinks. > This should help avoid permission issues upon changes to the proc > tree > as in the /proc/net -> /proc/self/net example. > This does not alter labeling of symlinks within /proc/pid > directories. > ls -Zd /proc/net output before and after the patch should show the > differenc > e. > > Signed-off-by: Stephen D. Smalley <[email protected]> > Signed-off-by: James Morris <[email protected]> > >
