From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751789AbdBBPBi convert rfc822-to-8bit (ORCPT ); Thu, 2 Feb 2017 10:01:38 -0500 Received: from mout.gmx.net ([212.227.15.18]:57847 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750916AbdBBPBh (ORCPT ); Thu, 2 Feb 2017 10:01:37 -0500 Date: Thu, 2 Feb 2017 15:01:18 +0000 From: Gary Tierney To: selinux@tycho.nsa.gov Cc: amurdaca@redhat.com, cgroups@vger.kernel.org, linux-kernel@vger.kernel.org, vgoyal@redhat.com Subject: Re: [PATCH] security: selinux: allow changing labels for cgroupfs Message-ID: <20170202150118.GA6441@localhost.localdomain> Mail-Followup-To: selinux@tycho.nsa.gov, amurdaca@redhat.com, cgroups@vger.kernel.org, linux-kernel@vger.kernel.org, vgoyal@redhat.com References: <20170202144228.24454-1-runcom@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: 8BIT In-Reply-To: <20170202144228.24454-1-runcom@redhat.com> User-Agent: Mutt/1.7.1 (2016-10-04) X-Provags-ID: V03:K0:h+r9PDfnb+ijNfavYEqi88qS539c0UR1/AkiBVcp7JBSTykSGO2 cuQbcrFiL5c3XdVn6ZVRgqiz4Bfi+y/0KdaDhPHgF7RlQLFG0OwZIbQoZnv8HvZYI28WDmG W3y3pUIKaY+ypzG08dfafa9mrlcfnraxcfqGzflOwUnjGOb9jIQ7xlMYPoWeX/zDNrJ8N9j 96VnBGGeZ6FRNrjZspjcA== X-UI-Out-Filterresults: notjunk:1;V01:K0:FTVthMSstJM=:TeKjbbllR2zzH9iEIqzLle 0PGbRX+J/GhOECNszQZ0JNC6RqlK7mCimCQo35jOI2C87xjkTrNaEVNAcXSmKL+5d1bXVgIFA ypnaJDxXaLurK3ASw7rwne/Y/EwLBeZ/QOSn2VrZX9lpmY6JMgP9G9SAbp9NjDpdLg8R79XBy Ly3o2WZrUzyOSFrTrh2wkMqWZNS2JHELVrnv76yB0+lAIvRgr2qVSjiY8zKCWE21uSRwnCo9d 9j0JMKybZP8bwn1fusUE3M8p7ZqzzguKAgVC89YK/Dgn6qdl8dvrIIjMPq8X2ZEMvka2eWDHy dmZk1qUM4tkdXSj1ps+8eeidgd7gQSV1GcFBQPslQYEY8F7MunOeTGQEgPW2YRGpRS0E4Ubvx L1XTL4suUgrbzbhuQARV0kZ8W6CX8e2qTYlrYTLXz78GxKTtxn3YaSUt44yUep4f+2F//jgBD 6Y/xPlCR+pZ33Jxe28V3cnMt6bhnk6euaEaDe8FhqPVaIcPjYvni6X6A2cJNvcNLOitaRMxDw T3xwlNk/fSYlB4+oEHlmEvqoMXgWmcElIq0YBpUH7GbEsCt/vOtahxT91WzBjcR9Jr0XQMlgj JxMwDqeL6QhA3VPE8qK6NnvyG322JbKRBQ45ppAwLhYNgvFZKg0coW3L7XXavntHi1eMmfyjc agG2QU1dpSfkGnrdhaZK+hylHadZVgD2hQbrxnPZTCZWkv4rrwFn0OSmavZGY/3MruxtfNewb jQBqOnkm/mLSaYZ+9cWeQu9yd9HFoROgYzAl0wvxt194+QrLgv61Z0w10eA= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote: > This patch allows changing labels for cgroup mounts. Previously, running > chcon on cgroupfs would throw an "Operation not supported". This patch > specifically whitelist cgroupfs. > > The patch could also allow containers to write only to the systemd cgroup > for instance, while the other cgroups are kept with cgroup_t label. > > Signed-off-by: Antonio Murdaca > --- > security/selinux/hooks.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 3b955c6..4e84211 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) > sbsec->behavior == SECURITY_FS_USE_NATIVE || > /* Special handling. Genfs but also in-core setxattr handler */ > !strcmp(sb->s_type->name, "sysfs") || > + !strcmp(sb->s_type->name, "cgroup") || Should we also include "cgroup2" here, since they are defined as 2 distinct filesystems? https://github.com/SELinuxProject/selinux-kernel/blob/master/kernel/cgroup.c#L2314-L2326 > !strcmp(sb->s_type->name, "pstore") || > !strcmp(sb->s_type->name, "debugfs") || > !strcmp(sb->s_type->name, "tracefs") || > -- > 2.9.3 > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.