[CRIU] [PATCH v2 1/3] lsm: add support for c/ring LSM profiles
Tycho Andersen
tycho.andersen at canonical.com
Wed May 6 10:58:38 PDT 2015
Hi Pavel,
On Wed, May 06, 2015 at 07:15:46PM +0300, Pavel Emelyanov wrote:
> Hi, Tycho
>
> Great work, thanks! I like the set and want to merge it before 1.6
> feature freeze, but I have one comment:
>
> > +#ifdef CONFIG_HAS_SELINUX
> > +static int selinux_get_label(pid_t pid, char **profile_name)
> > +{
> > + security_context_t ctx;
> > +
> > + if (getpidcon_raw(pid, &ctx) < 0) {
> > + pr_perror("getting selinux profile failed");
> > + return -1;
> > + }
> > +
> > + *profile_name = xstrdup((char *)ctx);
> > + freecon(ctx);
> > + if (!*profile_name)
> > + return -1;
> > +
> > + /*
> > + * SELinux has some profile names that are sentinels for unconfined,
> > + * e.g. with fedora 21 I get something like this:
> > + *
> > + * unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > + *
> > + * However, I don't know enough about SELinux to say whether or not it
> > + * is safe to ignore those as we do with apparmor above, so for now we
> > + * ignore all sentinel values and try to restore whatever is there.
> > + */
> > +
> > + return 0;
> > +}
> > +#endif
>
> Since we don't have test for selinux and (AFAIK) selinux "tags" or "labels"
> can sit on objects other than tasks, can we refuse dumping selinux labels other
> than "unconfined" until we understand how to properly do it? (Incremental
> patch would be OK)
Sure; showing my selinux ignorance, is something like:
1. split on :
2. make sure the first 3 pieces start with "unconfined_"
good enough?
Tycho
> -- Pavel
More information about the CRIU
mailing list