On 02/25/2015 09:33 AM, William Roberts wrote: > Is there any recommendation for limiting the mode on the fc entry for > recursive restores of /sys. If one is only expecting symlinks should > they specify -l?
Yes, if you only want to apply the context to a specific kind of file, then you should specify the mode field in file_contexts. It is also more efficient if you specify the mode field since it can then skip the pcre_exec call if the file has a different mode. However, restorecon intentionally does not follow symlinks; it passes FTS_PHYSICAL to fts_open() and it calls lgetfilecon/lsetfilecon to get and set the context, so it will only label the symlink itself, not the file to which it refers. Changing that in general would be a security hole, as an app or shell user could create a symlink to some system file to try to get it relabeled to an accessible type. Changing it for /sys would be different since /sys is kernel-generated but we would still have the problem I already mentioned, i.e. unlike the case with ueventd and device node creation, we do not have the real name and all symlink names provided at one time, and we could easily end up with an arbitrary label on any given node depending on the order in which fts happens to reach the real node and its symlinks. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
