From: Ben Shelton <ben.shelton@ni.com>
To: Artem Bityutskiy <dedekind1@gmail.com>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>,
Subodh Nijsure <snijsure@grid-net.com>,
linux-mtd@lists.infradead.org, adrian.hunter@intel.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/4] UBIFS: Add xattr support for symlinks
Date: Mon, 10 Nov 2014 11:12:53 -0600 [thread overview]
Message-ID: <20141110171253.GA18047@bshelton-desktop> (raw)
In-Reply-To: <1415628106.22887.122.camel@sauron.fi.intel.com>
On 11/10, Artem Bityutskiy wrote:
> Could you please re-test this with any kernel and carefully verify
> symlinks. I think this should not work, because in case of symlinks we
> already store the link target path in the inode, and with this patch the
> target patch will be over-written with the SELinux label. I expect this
> to be seen easily on testing - symlink targets should be corrupted.
>
> Artem.
>
I retested this with a 3.18-rc3 kernel on one of our ARM-based targets.
The kernel has patch 1/4 with your changes, plus patches 2/4, 3/4, and
4/4 as posted.
Initially, I booted the target with SELinux disabled. I then created
'testfile' and made a symlink 'testlink' pointing to it. I also created
a symlink 'testlink_2' that points to /bin/bash.
I then enabled SELinux in permissive mode and rebooted the target. As
this was the first boot into SELinux, it relabeled the filesystems and
rebooted. After it came back up, I created 'testfile_afterrelabel' and
made a symlink 'testlink_afterrelabel' pointing to it. In addition, I
checked the symlinks that are managed by update-alternatives. Finally,
I ran `ls -lRZ / | grep ^l` and did not see any corrupted symlink
targets.
The results are below, and they look sane to me. Please let me know if
there is additional testing you would like me to perform.
admin@galvanized:~# uname -a
Linux galvanized 3.18.0-rc3-ni-04094-g7b78529 #1 SMP Mon Nov 10 09:59:06 CST 2014 armv7l GNU/Linux
admin@galvanized:~# mount | grep ubifs
ubi1:rootfs on / type ubifs (rw,relatime,seclabel)
ubi0:bootfs on /boot type ubifs (rw,noatime,sync,seclabel)
ubi0:config on /etc/natinst/share type ubifs (rw,relatime,sync,seclabel)
admin@galvanized:~# pwd
/home/admin
admin@galvanized:~# ls -lZ
total 8
-rw-r--r--. 1 admin administrators user_u:object_r:user_home_t 15 Nov 10 16:20 testfile
-rw-r--r--. 1 admin administrators root:object_r:user_home_t 21 Nov 10 16:50 testfile_afterrelabel
lrwxrwxrwx. 1 admin administrators user_u:object_r:user_home_t 8 Nov 10 16:21 testlink -> testfile
lrwxrwxrwx. 1 admin administrators user_u:object_r:user_home_t 9 Nov 10 16:21 testlink_2 -> /bin/bash
lrwxrwxrwx. 1 admin administrators root:object_r:user_home_t 21 Nov 10 16:51 testlink_afterrelabel -> testfile_afterrelabel
admin@galvanized:~# which ls
/bin/ls
admin@galvanized:~# ls -lZ /bin/ls
lrwxrwxrwx. 1 admin administrators system_u:object_r:bin_t 12 Nov 10 16:08 /bin/ls -> ls.coreutils
admin@galvanized:~# ls -lZ /bin/grep
lrwxrwxrwx. 1 admin administrators system_u:object_r:bin_t 25 Nov 5 20:39 /bin/grep -> /usr/lib/busybox/bin/grep
Best,
Ben
next prev parent reply other threads:[~2014-11-10 17:13 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-31 18:50 [PATCH 0/4] UBIFS: add xattr support for security / SELinux Ben Shelton
2014-10-31 18:50 ` [PATCH 1/4] UBIFS: fix a couple bugs in UBIFS xattr length calculation Ben Shelton
2014-11-07 10:34 ` Artem Bityutskiy
2014-11-07 19:56 ` Ben Shelton
2014-10-31 18:50 ` [PATCH 2/4] UBIFS: Add xattr support for symlinks Ben Shelton
2014-11-10 14:01 ` Artem Bityutskiy
2014-11-10 17:12 ` Ben Shelton [this message]
2014-11-11 10:17 ` Artem Bityutskiy
2014-11-11 11:04 ` Artem Bityutskiy
2014-10-31 18:50 ` [PATCH 3/4] UBIFS: Add security.* XATTR support for the UBIFS Ben Shelton
2014-11-11 11:07 ` Artem Bityutskiy
2014-10-31 18:50 ` [PATCH 4/4] UBIFS: add ubifs_err() to print error reason Ben Shelton
2014-11-11 11:10 ` Artem Bityutskiy
2014-11-11 16:08 ` Ben Shelton
2014-11-12 12:31 ` Artem Bityutskiy
2014-11-07 9:53 ` [PATCH 0/4] UBIFS: add xattr support for security / SELinux Artem Bityutskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141110171253.GA18047@bshelton-desktop \
--to=ben.shelton@ni.com \
--cc=adrian.hunter@intel.com \
--cc=dedekind1@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=mkl@pengutronix.de \
--cc=snijsure@grid-net.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox