On Apr 29, 2015 5:27 AM, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 04/28/2015 07:01 PM, William Roberts wrote: > > Stephen what's the effort to get option 3 done? > > Probably just requires changing sysfs to call the > security_inode_init_security() hook when creating a new inode so that > the usual logic is applied in labeling new files. Simple, but may have > unintended side effects. >
The side effects might be interesting. Looks like sysfs got refactored to use kernfs and cgroups is based off of that code as well. The kernfs_init_inode() routine looks promising. Also looks like we can do it in the sysfs (perhaps in sysfs_create_file) only layer as the Kernfs objects seem to be housing an inode that you can get with iget_locked(). However it requires the super block and its not quite obvious to me how to traverse their abstractions offhand and ensure namespaces are properly handled.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
