[CRIU] [PATCH v2 1/3] lsm: add support for c/ring LSM profiles

Pavel Emelyanov xemul at parallels.com
Wed May 6 12:00:53 PDT 2015


On 05/06/2015 08:58 PM, Tycho Andersen wrote:
> Hi Pavel,
> 
> On Wed, May 06, 2015 at 07:15:46PM +0300, Pavel Emelyanov wrote:
>> Hi, Tycho
>>
>> Great work, thanks! I like the set and want to merge it before 1.6
>> feature freeze, but I have one comment:
>>
>>> +#ifdef CONFIG_HAS_SELINUX
>>> +static int selinux_get_label(pid_t pid, char **profile_name)
>>> +{
>>> +	security_context_t ctx;
>>> +
>>> +	if (getpidcon_raw(pid, &ctx) < 0) {
>>> +		pr_perror("getting selinux profile failed");
>>> +		return -1;
>>> +	}
>>> +
>>> +	*profile_name = xstrdup((char *)ctx);
>>> +	freecon(ctx);
>>> +	if (!*profile_name)
>>> +		return -1;
>>> +
>>> +	/*
>>> +	 * SELinux has some profile names that are sentinels for unconfined,
>>> +	 * e.g. with fedora 21 I get something like this:
>>> +	 *
>>> +	 * 	unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> +	 *
>>> +	 * However, I don't know enough about SELinux to say whether or not it
>>> +	 * is safe to ignore those as we do with apparmor above, so for now we
>>> +	 * ignore all sentinel values and try to restore whatever is there.
>>> +	 */
>>> +
>>> +	return 0;
>>> +}
>>> +#endif
>>
>> Since we don't have test for selinux and (AFAIK) selinux "tags" or "labels"
>> can sit on objects other than tasks, can we refuse dumping selinux labels other
>> than "unconfined" until we understand how to properly do it? (Incremental
>> patch would be OK)
> 
> Sure; showing my selinux ignorance, is something like:
> 
>   1. split on :
>   2. make sure the first 3 pieces start with "unconfined_"
> 
> good enough?

I think yes, thank you :)

-- Pavel



More information about the CRIU mailing list