On Tue, Jan 17, 2017 at 10:51 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Tue, 2017-01-17 at 10:34 -0500, Daniel J Walsh wrote: >> In order to allow processes to modify the cgroup hierarchy in a >> container from an SELinux point of view, we need to allow read/write >> access to cgroup_t, which means that a container process could break >> out >> and modify all cgroups, we want to allow them to only modify the >> portion >> of the hierarchy handed to them. >> >> Would be a nice security improvement for docker. > > Probably as easy as adding cgroup to the list of filesystem types that > use genfscon but also support setxattr (like sysfs) in > selinux_is_sblabel_mnt() in security/selinux/hooks.c. sysfs and cgroup > are both implemented on top of kernfs in modern kernels, so they should > both support proper setting of security labels. ... and a test should be added to the selinux-testsuite. Come on Dan, you know you want to write some more kernel code ;) -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
