[PATCH 0/3] Allow initializing the kernfs node's secctx based on its parent
Stephen Smalley
sds at tycho.nsa.gov
Tue Jan 15 14:36:44 UTC 2019
On 1/11/19 3:50 PM, Tejun Heo wrote:
> Hello,
>
> On Wed, Jan 09, 2019 at 10:10:25AM +0100, Ondrej Mosnacek wrote:
>> The main motivation for this change is that the userspace users of cgroupfs
>> (which is built on kernfs) expect the usual security context inheritance
>> to work under SELinux (see [1] and [2]). This functionality is required for
>> better confinement of containers under SELinux.
>
> Can you please go into details on what the expected use cases are like
> for cgroupfs? It shows up as a filesystem but isn't a real one and
> has its own permission scheme for delegation and stuff. If sysfs
> hasn't needed selinux support, I'm having a bit of difficulty seeing
> why cgroupfs would.
Just to clarify with respect to your last point about sysfs, sysfs
selinux support was first introduced in commit ddd29ec6597125c830f7
("sysfs: Add labeling support for sysfs") for use by libvirt, and this
support was carried over into kernfs, and is extensively used
particularly in Android for controlling access to sysfs files. The
patch set in this series is extending that support to enable inheritance
of security labels set via setxattr from parent to child when
appropriate, which has particularly been requested for cgroup but would
also be useful for sysfs.
More information about the Linux-security-module-archive
mailing list