This series contains three independent bugfixes that together make it possible to mount the cgroup filesystem with the 'context=' option under SELinux. The first patch is trivial and fixes cgroupfs to correctly handle the case when the mount options are just an empty string. The second patch fixes SELinux to always disallow relabeling inodes that belong to a 'context=' mount. The third patch fixes SELinux to ignore security_inode_notifysecctx() calls on inodes that belong to a 'context=' mount. Paul, Stephen, please have a quick look at the last two patches, I'm not 100% sure that I understand the expected behavior of the context mounts correctly. (My assumption is that in a context mount we want the whole subtree to be labeled with the given label, no matter what.) Also, I'm not entirely satisfied with the code style in the second patch (and it produces an annoying false positive with checkpatch.pl), but I didn't see a better way to write it... I haven't had time to do much testing on the patches (other than the reproducers mentioned in the commit messages). I'd like to make sure that I'm going in the right direction first. Thanks, O.M. -- Ondrej Mosnacek (3): cgroup: fix parsing empty mount option string selinux: never allow relabeling on context mounts selinux: do not override context on context mounts kernel/cgroup/cgroup.c | 2 +- security/selinux/hooks.c | 48 ++++++++++++++++++++++++++++++---------- 2 files changed, 37 insertions(+), 13 deletions(-) -- 2.19.2
