diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2017-02-28 10:35:56 -0500 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2017-03-02 10:27:40 +1100 |
commit | 2651225b5ebcdde60f684c4db8ec7e9e3800a74f (patch) | |
tree | 73c955a7c52dbcbe7320ddb1fc823be6671d0a84 /security/selinux/hooks.c | |
parent | 0837e49ab3fa8d903a499984575d71efee8097ce (diff) | |
download | linux-next-2651225b5ebcdde60f684c4db8ec7e9e3800a74f.tar.gz |
selinux: wrap cgroup seclabel support with its own policy capability
commit 1ea0ce40690dff38935538e8dab7b12683ded0d3 ("selinux: allow
changing labels for cgroupfs") broke the Android init program,
which looks up security contexts whenever creating directories
and attempts to assign them via setfscreatecon().
When creating subdirectories in cgroup mounts, this would previously
be ignored since cgroup did not support userspace setting of security
contexts. However, after the commit, SELinux would attempt to honor
the requested context on cgroup directories and fail due to permission
denial. Avoid breaking existing userspace/policy by wrapping this change
with a conditional on a new cgroup_seclabel policy capability. This
preserves existing behavior until/unless a new policy explicitly enables
this capability.
Reported-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9a8f12f8d5b7..0a4b4b040e0a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -480,12 +480,13 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) sbsec->behavior == SECURITY_FS_USE_NATIVE || /* Special handling. Genfs but also in-core setxattr handler */ !strcmp(sb->s_type->name, "sysfs") || - !strcmp(sb->s_type->name, "cgroup") || - !strcmp(sb->s_type->name, "cgroup2") || !strcmp(sb->s_type->name, "pstore") || !strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") || - !strcmp(sb->s_type->name, "rootfs"); + !strcmp(sb->s_type->name, "rootfs") || + (selinux_policycap_cgroupseclabel && + (!strcmp(sb->s_type->name, "cgroup") || + !strcmp(sb->s_type->name, "cgroup2"))); } static int sb_finish_set_opts(struct super_block *sb) |