Re: [PATCH] selinux-testsuite: Update binder for kernel 5.4 support

[Stephen Smalley <sds@xxxxxxxxxxxxx>]

On 10/8/19 5:43 PM, Paul Moore wrote:
> On Mon, Oct 7, 2019 at 12:35 PM Richard Haines
> <richard_c_haines@xxxxxxxxxxxxxx> wrote:
> > On Mon, 2019-10-07 at 16:17 +0100, Richard Haines wrote:
> > > On Mon, 2019-10-07 at 10:28 -0400, Stephen Smalley wrote:
> > > > On 10/6/19 4:51 AM, Richard Haines wrote:
> > > > > Kernel 5.4 commit ca2864c6e8965c37df97f11e6f99e83e09806b1c
> > > > > ("binder: Add
> > > > > default binder devices through binderfs when configured"),
> > > > > changed
> > > > > the way
> > > > > the binder device is initialised and no longer automatically
> > > > > generates
> > > > > /dev/binder when CONFIG_ANDROID_BINDERFS=y.
> > > >
> > > > This seems like a userspace ABI break, no?  Same kernel config
> > > > before
> > > > and after this commit yields different behavior for
> > > > /dev/binder.  I
> > > > suppose one might argue that one would only enable
> > > > CONFIG_ANDROID_BINDERFS if one wanted to use it instead of
> > > > /dev/binder
> > > > but the original commit that introduced binderfs specifically said
> > > > that
> > > > backward compatibility was preserved.
> > > I'll need to check this further, but from what I've seen so far, is
> > > that the /dev/binder is not available until you mount binderfs etc.
> > > that's why Paul had the failure on 5.4 as before then is was
> > > available
> > > when the binder driver first initialised.
> >
> > To confirm tests using kernel 5.4-rc1
> >
> > Test 1 config:
> > CONFIG_ANDROID=y
> > CONFIG_ANDROID_BINDER_IPC=y
> > CONFIG_ANDROID_BINDERFS=y
> > CONFIG_ANDROID_BINDER_DEVICES="binder"
> >
> > On boot no /dev/binder
> >
> > To get this you have to:
> > mkdir /dev/binderfs 2>/dev/null
> > mount -t binder binder /dev/binderfs -o
> > context=system_u:object_r:device_t:s0 2>/dev/null
> >
> > You then have devs:
> > binder and binder-control
> >
> > Test 2 config:
> > CONFIG_ANDROID=y
> > CONFIG_ANDROID_BINDER_IPC=y
> > # CONFIG_ANDROID_BINDERFS is not set
> > CONFIG_ANDROID_BINDER_DEVICES="binder"
> >
> > On boot you have /dev/binder
>
> Disabling binderfs during build is probably not the smart thing to do
> considering where the world is at with namespaces/containers, whatever
> we do we should make sure the tests work with
> CONFIG_ANDROID_BINDERFS=y.

Yes, I think the question is just whether we want to have the tests use 
binderfs for kernel >= 5.0 (i.e. the point at which binderfs was first 
introduced) or for kernel >= 5.4 (i.e. the point at which binderfs usage 
became mandatory if you enable it in your config because /dev/binder is 
no longer automatically created).  I'm fine either way.