[CRIU] [PATCH v2 1/3] lsm: add support for c/ring LSM profiles
Pavel Emelyanov
xemul at parallels.com
Wed May 6 09:15:46 PDT 2015
Hi, Tycho
Great work, thanks! I like the set and want to merge it before 1.6
feature freeze, but I have one comment:
> +#ifdef CONFIG_HAS_SELINUX
> +static int selinux_get_label(pid_t pid, char **profile_name)
> +{
> + security_context_t ctx;
> +
> + if (getpidcon_raw(pid, &ctx) < 0) {
> + pr_perror("getting selinux profile failed");
> + return -1;
> + }
> +
> + *profile_name = xstrdup((char *)ctx);
> + freecon(ctx);
> + if (!*profile_name)
> + return -1;
> +
> + /*
> + * SELinux has some profile names that are sentinels for unconfined,
> + * e.g. with fedora 21 I get something like this:
> + *
> + * unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> + *
> + * However, I don't know enough about SELinux to say whether or not it
> + * is safe to ignore those as we do with apparmor above, so for now we
> + * ignore all sentinel values and try to restore whatever is there.
> + */
> +
> + return 0;
> +}
> +#endif
Since we don't have test for selinux and (AFAIK) selinux "tags" or "labels"
can sit on objects other than tasks, can we refuse dumping selinux labels other
than "unconfined" until we understand how to properly do it? (Incremental
patch would be OK)
-- Pavel
More information about the CRIU
mailing list