[CRIU] [PATCH v2 1/3] lsm: add support for c/ring LSM profiles
Pavel Emelyanov
xemul at parallels.com
Wed May 6 12:00:53 PDT 2015
On 05/06/2015 08:58 PM, Tycho Andersen wrote:
> Hi Pavel,
>
> On Wed, May 06, 2015 at 07:15:46PM +0300, Pavel Emelyanov wrote:
>> Hi, Tycho
>>
>> Great work, thanks! I like the set and want to merge it before 1.6
>> feature freeze, but I have one comment:
>>
>>> +#ifdef CONFIG_HAS_SELINUX
>>> +static int selinux_get_label(pid_t pid, char **profile_name)
>>> +{
>>> + security_context_t ctx;
>>> +
>>> + if (getpidcon_raw(pid, &ctx) < 0) {
>>> + pr_perror("getting selinux profile failed");
>>> + return -1;
>>> + }
>>> +
>>> + *profile_name = xstrdup((char *)ctx);
>>> + freecon(ctx);
>>> + if (!*profile_name)
>>> + return -1;
>>> +
>>> + /*
>>> + * SELinux has some profile names that are sentinels for unconfined,
>>> + * e.g. with fedora 21 I get something like this:
>>> + *
>>> + * unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> + *
>>> + * However, I don't know enough about SELinux to say whether or not it
>>> + * is safe to ignore those as we do with apparmor above, so for now we
>>> + * ignore all sentinel values and try to restore whatever is there.
>>> + */
>>> +
>>> + return 0;
>>> +}
>>> +#endif
>>
>> Since we don't have test for selinux and (AFAIK) selinux "tags" or "labels"
>> can sit on objects other than tasks, can we refuse dumping selinux labels other
>> than "unconfined" until we understand how to properly do it? (Incremental
>> patch would be OK)
>
> Sure; showing my selinux ignorance, is something like:
>
> 1. split on :
> 2. make sure the first 3 pieces start with "unconfined_"
>
> good enough?
I think yes, thank you :)
-- Pavel
More information about the CRIU
mailing list