On Wed, May 20, 2015 at 11:59:34AM -0400, Stephen Smalley wrote: > On 05/20/2015 11:51 AM, Dominick Grift wrote: > > On Tue, May 19, 2015 at 03:46:06PM -0400, Stephen Smalley wrote: > >> Add support for per-file labeling of debugfs files so that > >> we can distinguish them in policy. This is particularly > >> important in Android where certain debugfs files have to be writable > >> by apps and therefore the debugfs directory tree can be read and > >> searched by all. > >> > >> Since debugfs is entirely kernel-generated, the directory tree is > >> immutable by userspace, and the inodes are pinned in memory, we can > >> simply use the same approach as with proc and label the inodes from > >> policy based on pathname from the root of the debugfs filesystem. > >> Generalize the existing labeling support used for proc and reuse it > >> for debugfs too. > > > > Was there a compelling reason not to implement something similar for /sys? > > The original motivating use case for per-file labeling for sysfs was > libvirt labeling of specific sysfs nodes to make them accessible to > specific virtual machines (qemu instances). In that scenario, we needed > userspace to be able to drive the labeling based on more than just the > pathname and so genfs_contexts wasn't suitable. > > That said, Android is labeling all of /sys at boot based on > file_contexts entries, so it might be argued that it would benefit from > similar support for sysfs. Although genfs_contexts isn't as flexible as > file_contexts (simple path prefix matching vs pathname regex matching). > I alway's considered labeling files in /sys based on file_contexts to be a rather fragile solution Fedora for example uses systemd-tmpfiles to label specified files in /sys on boot Currently in my personal policy i decided to leave everything with the default sysfs fs type whilst waiting for a "genfscon" solution to arrive. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
Attachment:
pgpwo9jQlA96Y.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
