[PATCH] selinux: enable genfscon labeling for tracefs

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] selinux: enable genfscon labeling for tracefs
@ 2017-06-20 16:35 Jeff Vander Stoep
  2017-06-20 17:12 ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Jeff Vander Stoep @ 2017-06-20 16:35 UTC (permalink / raw)
  To: selinux; +Cc: paul, sds, Jeff Vander Stoep

In kernel version 4.1, tracefs was separated from debugfs into its
own filesystem. Prior to this split, files in
/sys/kernel/debug/tracing could be labeled during filesystem
creation using genfscon or later from userspace using setxattr. This
change re-enables support for genfscon labeling.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
 security/selinux/hooks.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 820c16e36af8..33fd061305c4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -813,6 +813,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
 
 	if (!strcmp(sb->s_type->name, "debugfs") ||
+	    !strcmp(sb->s_type->name, "tracefs") ||
 	    !strcmp(sb->s_type->name, "sysfs") ||
 	    !strcmp(sb->s_type->name, "pstore"))
 		sbsec->flags |= SE_SBGENFS;
-- 
2.13.1.518.g3df882009-goog

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] selinux: enable genfscon labeling for tracefs
  2017-06-20 16:35 [PATCH] selinux: enable genfscon labeling for tracefs Jeff Vander Stoep
@ 2017-06-20 17:12 ` Stephen Smalley
  2017-06-20 19:55   ` Paul Moore
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2017-06-20 17:12 UTC (permalink / raw)
  To: Jeff Vander Stoep, selinux

On Tue, 2017-06-20 at 09:35 -0700, Jeff Vander Stoep wrote:
> In kernel version 4.1, tracefs was separated from debugfs into its
> own filesystem. Prior to this split, files in
> /sys/kernel/debug/tracing could be labeled during filesystem
> creation using genfscon or later from userspace using setxattr. This
> change re-enables support for genfscon labeling.
> 
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>

I don't suppose we could get you to tackle
https://github.com/SELinuxProject/selinux-kernel/issues/2
so that we don't have to keep patching these filesystem type
whitelists?

That said, given that this is a user-visible regression, I'm ok with
this as the short term fix.

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

> ---
>  security/selinux/hooks.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 820c16e36af8..33fd061305c4 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -813,6 +813,7 @@ static int selinux_set_mnt_opts(struct
> super_block *sb,
>  		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
>  
>  	if (!strcmp(sb->s_type->name, "debugfs") ||
> +	    !strcmp(sb->s_type->name, "tracefs") ||
>  	    !strcmp(sb->s_type->name, "sysfs") ||
>  	    !strcmp(sb->s_type->name, "pstore"))
>  		sbsec->flags |= SE_SBGENFS;

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] selinux: enable genfscon labeling for tracefs
  2017-06-20 17:12 ` Stephen Smalley
@ 2017-06-20 19:55   ` Paul Moore
  0 siblings, 0 replies; 3+ messages in thread
From: Paul Moore @ 2017-06-20 19:55 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: Jeff Vander Stoep, selinux

On Tue, Jun 20, 2017 at 1:12 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Tue, 2017-06-20 at 09:35 -0700, Jeff Vander Stoep wrote:
>> In kernel version 4.1, tracefs was separated from debugfs into its
>> own filesystem. Prior to this split, files in
>> /sys/kernel/debug/tracing could be labeled during filesystem
>> creation using genfscon or later from userspace using setxattr. This
>> change re-enables support for genfscon labeling.
>>
>> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
>
> I don't suppose we could get you to tackle
> https://github.com/SELinuxProject/selinux-kernel/issues/2
> so that we don't have to keep patching these filesystem type
> whitelists?

+1 for Stephen's request.  For what it's worth you'll also earn my
appreciation, or your beverage of choice the next time we are in the
same spot (I'd go for the drink if I were you, much more valuable).

> That said, given that this is a user-visible regression, I'm ok with
> this as the short term fix.
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

Looks fine to me too, merged into selinux/next.

>> ---
>>  security/selinux/hooks.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 820c16e36af8..33fd061305c4 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -813,6 +813,7 @@ static int selinux_set_mnt_opts(struct
>> super_block *sb,
>>               sbsec->flags |= SE_SBPROC | SE_SBGENFS;
>>
>>       if (!strcmp(sb->s_type->name, "debugfs") ||
>> +         !strcmp(sb->s_type->name, "tracefs") ||
>>           !strcmp(sb->s_type->name, "sysfs") ||
>>           !strcmp(sb->s_type->name, "pstore"))
>>               sbsec->flags |= SE_SBGENFS;

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-06-20 19:55 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-20 16:35 [PATCH] selinux: enable genfscon labeling for tracefs Jeff Vander Stoep
2017-06-20 17:12 ` Stephen Smalley
2017-06-20 19:55   ` Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.