[PATCH 0/3] Allow initializing the kernfs node's secctx based on its parent

Ondrej Mosnacek omosnace at redhat.com
Mon Jan 14 09:14:32 UTC 2019


On Fri, Jan 11, 2019 at 9:51 PM Tejun Heo <tj at kernel.org> wrote:
> Hello,
>
> On Wed, Jan 09, 2019 at 10:10:25AM +0100, Ondrej Mosnacek wrote:
> > The main motivation for this change is that the userspace users of cgroupfs
> > (which is built on kernfs) expect the usual security context inheritance
> > to work under SELinux (see [1] and [2]). This functionality is required for
> > better confinement of containers under SELinux.
>
> Can you please go into details on what the expected use cases are like
> for cgroupfs?  It shows up as a filesystem but isn't a real one and
> has its own permission scheme for delegation and stuff.  If sysfs
> hasn't needed selinux support, I'm having a bit of difficulty seeing
> why cgroupfs would.

I'm not sure what are the exact needs of the container people, but
IIUC the goal is to make it possible to have a subtree labeled with a
specific label (that gets inherited by newly created cgroups in that
subtree by default) so that container processes do not need to be
given permissions for the whole cgroupfs tree.

I'm cc'ing Dan Walsh, who should be able to explain the use cases in
more details. Dan, this is related to the cgroupfs labeling problem
([1] and [2]). See [3] for the root of this discussion.

[1] https://github.com/SELinuxProject/selinux-kernel/issues/39
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1553803
[3] https://lore.kernel.org/selinux/CAFqZXNsxfjwDaCWDrqxP736y_3Jm-r=twaHtkkTDtMuym774Jw@mail.gmail.com/T/


--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.



More information about the Linux-security-module-archive mailing list