On Tue, May 19, 2015 at 03:46:06PM -0400, Stephen Smalley wrote: > Add support for per-file labeling of debugfs files so that > we can distinguish them in policy. This is particularly > important in Android where certain debugfs files have to be writable > by apps and therefore the debugfs directory tree can be read and > searched by all. > > Since debugfs is entirely kernel-generated, the directory tree is > immutable by userspace, and the inodes are pinned in memory, we can > simply use the same approach as with proc and label the inodes from > policy based on pathname from the root of the debugfs filesystem. > Generalize the existing labeling support used for proc and reuse it > for debugfs too. Was there a compelling reason not to implement something similar for /sys? -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
Attachment:
pgpM4xd7okGYm.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
