Re: [PATCH] selinux: allow kernfs symlinks to inherit parent directory context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/24/20 2:08 PM, Christian Göttsche wrote:
Am Fr., 24. Jan. 2020 um 19:53 Uhr schrieb Stephen Smalley <sds@xxxxxxxxxxxxx>:

On 1/24/20 1:42 PM, Christian Göttsche wrote:
Currently symlinks on kernel filesystems, like sysfs, are labeled on
creation with the parent fs root sid.

Allow symlinks to inherit the parent directory context, so fine-grained
kernfs labeling can be applied to symlinks too and checking contexts
doesn't complain about them.

For backward-compatibility this behavior is contained in a new policy
capability: kernfs_sovereign_symlinks

Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---

Not fond of the name.  1) kernfs is a kernel implementation detail,
shouldn't be exposed to policy; genfs is the policy construct 2)
sovereign doesn't seem to fit the meaning of this capability; seclabel
would be more appropriate.

Something like genfs_seclabel_symlinks?

Works for me.


+                  (sbsec->flags & SE_SBGENFS_XATTR))) {

Why limit this to SE_SBGENFS_XATTR filesystems?  Why not just make the test:
         if ((sbsec->flags & SE_SBGENFS) && (!S_ISLNK(inode->i_mode) ||
selinux_policycap_genfs_symlinkseclabel()))
or similar.

I somehow thought that this functionality is limited to filesystems
with SE_SBGENFS_XATTR;
so I can expand the check to SE_SBGENFS.

I could be wrong but I don't see why it would need to be limited in that way.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux