AOSP master is migrating away from ramfs: https://android-review.googlesource.com/#/c/161781/
If we continue in this direction we will end up with your option #2.The policy already exists: https://android-review.googlesource.com/#/c/161780/1 On Thu, Oct 22, 2015 at 9:59 AM Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 10/22/2015 10:43 AM, Jeffrey Vander Stoep wrote: > > Probably using ramfs for the rootfs with older kernels and using > tmpfs > > with the newer kernels? That would explain it. > > > > > > Yes, the 3.18 device that I saw this behavior on used tmpfs. > > Ok, so at least we understand the problem. > > Options for resolving: > > 1. Change init to somehow distinguish creation of these empty mount > point directories from other directories, and do not set the SELinux > context based on file_contexts for those mount points. Then you only > need mounton permission to rootfs and you don't have to allow init to > over-mount an already mounted filesystem (since that is what you are > doing by allowing mounton to cache_file and other types associated with > the actual mounted filesystem). > > 2. Accept this labeling, allow it in policy, and possibly add calls to > security_inode_init_security() to ramfs_mknod and ramfs_symlink so that > ramfs exhibits the same behavior as tmpfs and we get consistent behavior > and policy on the current Nexus devices. > > I think #1 is better. You might still want to fix ramfs for consistency > regardless. >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
