On Thu, May 2, 2024 at 2:37 PM Chris PeBenito <pebenito@xxxxxxxx> wrote: > > The state of cgroup2 labeling and memory.pressure came up for me again. > This was discussed March last year[1]. To summarize, refpolicy has a > type_transition for the memory.pressure file in cgroup2 to a default of > memory_pressure_t. For example this file: > > /sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure > > with the idea that we allow daemons to write to this without allowing > writes to all cgroup_t. Unfortunately, the thread ended and I haven't > seen any improvement. > > The conclusion was[3]: > > > Ah, now I remembered that we made it such that the transitions would > > only apply if the parent directory has a label explicitly set by > > userspace (via setxattr). Not sure if we can improve it easily, since > > we can't use the normal inode-based logic for cgroupfs (the xattrs are > > stored in kernfs nodes, each of which can be exposed via multiple > > inodes if there is more than one cgroupfs mount). > > Testing on a 6.6 kernel and systemd 255, I still see the same issues, > where most are stuck at cgroup_t, with user.slice entries get > memory_pressure_t[2]. Based on my investigations, the user.slice works > because systemd sets the user.invocation_id xattr on these dirs. > > Next, I tried modifying systemd to use it's version of > setfscreatecon()+mkdir() when it creates the cgroup directories. This > did not change the labeling behavior. Next I changed the code to a > post-mkdir setfilecon() and then all the memory.pressures finally had > expected labeling. > > This setxattr() requirement is unfortunate, and the fact the > setfscreatecon() doesn't work makes it more unfortunate. Is there any > improvement being worked? Possibly I misunderstand, but selinux_kernfs_init_security() appears to honor the create_sid (setfscreatecon) if set, so I would have expected that to work. > [1] https://lore.kernel.org/selinux/87mt47ga29.fsf@xxxxxxxxxxx/ > [2] > https://lore.kernel.org/selinux/CAEjxPJ77ZiWTwJ=hj2DFoNCg4XZMfiU6VNSNAnyCKc0Rd+nM6Q@xxxxxxxxxxxxxx/ > [3] > https://lore.kernel.org/selinux/CAFqZXNtLFsmb3n+H=7Jcp1g_sLEFdRL75fzvjMvTU1rXvaQXMA@xxxxxxxxxxxxxx/ > > -- > Chris PeBenito >
