[PATCH] security: selinux: allow changing labels for cgroupfs

[PATCH] security: selinux: allow changing labels for cgroupfs

[Antonio Murdaca]

This patch allows changing labels for cgroup mounts. Previously, running
chcon on cgroupfs would throw an "Operation not supported". This patch
specifically whitelist cgroupfs.

The patch could also allow containers to write only to the systemd cgroup
for instance, while the other cgroups are kept with cgroup_t label.

Signed-off-by: Antonio Murdaca <runcom-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
 security/selinux/hooks.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3b955c6..4e84211 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
 		/* Special handling. Genfs but also in-core setxattr handler */
 		!strcmp(sb->s_type->name, "sysfs") ||
+		!strcmp(sb->s_type->name, "cgroup") ||
 		!strcmp(sb->s_type->name, "pstore") ||
 		!strcmp(sb->s_type->name, "debugfs") ||
 		!strcmp(sb->s_type->name, "tracefs") ||
-- 
2.9.3

Re: [PATCH] security: selinux: allow changing labels for cgroupfs

[Gary Tierney]

On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote:
> This patch allows changing labels for cgroup mounts. Previously, running
> chcon on cgroupfs would throw an "Operation not supported". This patch
> specifically whitelist cgroupfs.
> 
> The patch could also allow containers to write only to the systemd cgroup
> for instance, while the other cgroups are kept with cgroup_t label.
> 
> Signed-off-by: Antonio Murdaca <runcom-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
>  security/selinux/hooks.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3b955c6..4e84211 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
>  		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
>  		/* Special handling. Genfs but also in-core setxattr handler */
>  		!strcmp(sb->s_type->name, "sysfs") ||
> +		!strcmp(sb->s_type->name, "cgroup") ||

Should we also include "cgroup2" here, since they are defined as 2
distinct filesystems? https://github.com/SELinuxProject/selinux-kernel/blob/master/kernel/cgroup.c#L2314-L2326

>  		!strcmp(sb->s_type->name, "pstore") ||
>  		!strcmp(sb->s_type->name, "debugfs") ||
>  		!strcmp(sb->s_type->name, "tracefs") ||
> -- 
> 2.9.3
> 
> _______________________________________________
> Selinux mailing list
> Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
> To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
> To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org

Re: [PATCH] security: selinux: allow changing labels for cgroupfs

[Antonio Murdaca]

[-- Attachment #1.1: Type: text/plain, Size: 2117 bytes --]

On Thu, Feb 2, 2017 at 4:01 PM, Gary Tierney <gary.tierney-KK0ffGbhmjU@public.gmane.org> wrote:

> On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote:
> > This patch allows changing labels for cgroup mounts. Previously, running
> > chcon on cgroupfs would throw an "Operation not supported". This patch
> > specifically whitelist cgroupfs.
> >
> > The patch could also allow containers to write only to the systemd cgroup
> > for instance, while the other cgroups are kept with cgroup_t label.
> >
> > Signed-off-by: Antonio Murdaca <runcom-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> > ---
> >  security/selinux/hooks.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 3b955c6..4e84211 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block
> *sb)
> >               sbsec->behavior == SECURITY_FS_USE_NATIVE ||
> >               /* Special handling. Genfs but also in-core setxattr
> handler */
> >               !strcmp(sb->s_type->name, "sysfs") ||
> > +             !strcmp(sb->s_type->name, "cgroup") ||
>
> Should we also include "cgroup2" here, since they are defined as 2
> distinct filesystems? https://github.com/SELinuxProject/selinux-kernel/
> blob/master/kernel/cgroup.c#L2314-L2326


likely yes


>
>
> >               !strcmp(sb->s_type->name, "pstore") ||
> >               !strcmp(sb->s_type->name, "debugfs") ||
> >               !strcmp(sb->s_type->name, "tracefs") ||
> > --
> > 2.9.3
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
> > To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
> > To get help, send an email containing "help" to
> Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
>



-- 
Antonio (runcom) Murdaca, RHCE
Senior Software Engineer - Containers
09B9 8F09 3E2D C310 E250 69B5 B2BE AD15 0DE9 36B9
<https://pgp.mit.edu/pks/lookup?op=get&search=0xB2BEAD150DE936B9>

[-- Attachment #1.2: Type: text/html, Size: 4030 bytes --]

[-- Attachment #2: Type: text/plain, Size: 304 bytes --]

_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org

Re: [PATCH] security: selinux: allow changing labels for cgroupfs

[Antonio Murdaca]

On Thu, Feb 2, 2017 at 4:01 PM, Gary Tierney <gary.tierney-KK0ffGbhmjU@public.gmane.org> wrote:
> On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote:
>> This patch allows changing labels for cgroup mounts. Previously, running
>> chcon on cgroupfs would throw an "Operation not supported". This patch
>> specifically whitelist cgroupfs.
>>
>> The patch could also allow containers to write only to the systemd cgroup
>> for instance, while the other cgroups are kept with cgroup_t label.
>>
>> Signed-off-by: Antonio Murdaca <runcom-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>> ---
>>  security/selinux/hooks.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 3b955c6..4e84211 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
>>               sbsec->behavior == SECURITY_FS_USE_NATIVE ||
>>               /* Special handling. Genfs but also in-core setxattr handler */
>>               !strcmp(sb->s_type->name, "sysfs") ||
>> +             !strcmp(sb->s_type->name, "cgroup") ||
>
> Should we also include "cgroup2" here, since they are defined as 2
> distinct filesystems? https://github.com/SELinuxProject/selinux-kernel/blob/master/kernel/cgroup.c#L2314-L2326

likely yes

>
>>               !strcmp(sb->s_type->name, "pstore") ||
>>               !strcmp(sb->s_type->name, "debugfs") ||
>>               !strcmp(sb->s_type->name, "tracefs") ||
>> --
>> 2.9.3
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
>> To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
>> To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org



-- 
Antonio (runcom) Murdaca, RHCE
Senior Software Engineer - Containers
09B9 8F09 3E2D C310 E250 69B5 B2BE AD15 0DE9 36B9