On Apr 29, 2015 8:46 AM, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 04/29/2015 11:40 AM, William Roberts wrote: > > > > On Apr 29, 2015 5:27 AM, "Stephen Smalley" <s...@tycho.nsa.gov > > <mailto:s...@tycho.nsa.gov>> wrote: > >> > >> On 04/28/2015 07:01 PM, William Roberts wrote: > >> > Stephen what's the effort to get option 3 done? > >> > >> Probably just requires changing sysfs to call the > >> security_inode_init_security() hook when creating a new inode so that > >> the usual logic is applied in labeling new files. Simple, but may have > >> unintended side effects. > >> > > > > The side effects might be interesting. Looks like sysfs got refactored > > to use kernfs and cgroups is based off of that code as well. The > > kernfs_init_inode() routine looks promising. > > > > Also looks like we can do it in the sysfs (perhaps in sysfs_create_file) > > only layer as the Kernfs objects seem to be housing an inode that you > > can get with iget_locked(). However it requires the super block and its > > not quite obvious to me how to traverse their abstractions offhand and > > ensure namespaces are properly handled. > > Yes, I'd suggest hooking kernfs. > > cgroup is another case where we'd like to improve granularity of > labeling. I think it did get xattr support at some point and with the > refactoring on top of kernfs, I think it still has that. So it might be > possible to restorecon it after mount on modern kernels and label it > that way. Not something I've looked into much. >
It looked like xattr support was in kernfs on the 4.0 tree I looked through on lxr. >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
