]> git.baikalelectronics.ru Git - kernel.git/commit
selinux: wrap cgroup seclabel support with its own policy capability
authorStephen Smalley <sds@tycho.nsa.gov>
Tue, 28 Feb 2017 15:35:56 +0000 (10:35 -0500)
committerJames Morris <james.l.morris@oracle.com>
Wed, 1 Mar 2017 23:27:40 +0000 (10:27 +1100)
commit322f8314875475a169a8346b30f8ec4e74b24bde
tree73c955a7c52dbcbe7320ddb1fc823be6671d0a84
parente5fdc4976853bb04c98935ab6a0af7be736f7b4e
selinux: wrap cgroup seclabel support with its own policy capability

commit aa2f557a8aa072637b00665a310fe026d6acff2c ("selinux: allow
changing labels for cgroupfs") broke the Android init program,
which looks up security contexts whenever creating directories
and attempts to assign them via setfscreatecon().
When creating subdirectories in cgroup mounts, this would previously
be ignored since cgroup did not support userspace setting of security
contexts.  However, after the commit, SELinux would attempt to honor
the requested context on cgroup directories and fail due to permission
denial.  Avoid breaking existing userspace/policy by wrapping this change
with a conditional on a new cgroup_seclabel policy capability.  This
preserves existing behavior until/unless a new policy explicitly enables
this capability.

Reported-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
security/selinux/hooks.c
security/selinux/include/security.h
security/selinux/selinuxfs.c
security/selinux/ss/services.c