In v20-rc1. Serge E. Hallyn wrote: > Hi Oren, > > In comparing your ckpt-v19-dev-serge branch to my local one I > noticed this patch was missing, then realized I hadn't sent it > separately, but only inline with a response to Nathan. > > Please do apply. > > Without this patch, selinux labels will not be restored on msg_msg's in > message queues (because we didn't send the restored msg_msg through > msgsnd), and the restored task won't have the permission to receive the > messages. > > As I mentioned in that thread, simply re-routing the restored > msg_msg through msgsnd doesn't really suffice because the msg_msg > label is calculated as a product of the msgq and sending task > labels, and the latter may have already changed. > > thanks, > -serge > > Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx> > --- > security/security.c | 4 +++- > 1 files changed, 3 insertions(+), 1 deletions(-) > > diff --git a/security/security.c b/security/security.c > index 28db976..2b147cf 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -1524,7 +1524,9 @@ int security_restore_obj(struct ckpt_ctx *ctx, void *v, int sectype, > > /* return if caller didn't want to restore checkpointed labels */ > if (!(ctx->uflags & RESTART_KEEP_LSM)) > - return 0; > + /* though msg_msg label must always be restored */ > + if (sectype != CKPT_SECURITY_MSG_MSG) > + return 0; > > l = ckpt_obj_fetch(ctx, secref, CKPT_OBJ_SECURITY); > if (IS_ERR(l)) _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
