From 78d36d2111cd4ca722a602846f7db8f54a0b074c Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 23 Jul 2013 17:38:41 -0400 Subject: SELinux: Enable setting security contexts on rootfs inodes. rootfs (ramfs) can support setting of security contexts by userspace due to the vfs fallback behavior of calling the security module to set the in-core inode state for security.* attributes when the filesystem does not provide an xattr handler. No xattr handler required as the inodes are pinned in memory and have no backing store. This is useful in allowing early userspace to label individual files within a rootfs while still providing a policy-defined default via genfs. Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore Signed-off-by: Eric Paris --- security/selinux/hooks.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d0cfaa9f19d0..0ff911a94757 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -464,6 +464,13 @@ static int sb_finish_set_opts(struct super_block *sb) if (selinux_is_sblabel_mnt(sb)) sbsec->flags |= SBLABEL_MNT; + /* + * Special handling for rootfs. Is genfs but supports + * setting SELinux context on in-core inodes. + */ + if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0) + sbsec->flags |= SE_SBLABELSUPP; + /* Initialize the root inode. */ rc = inode_doinit_with_dentry(root_inode, root); -- cgit v1.2.3 From 43e1b4f528e1654fadd1097f7cc5c50be6e45b77 Mon Sep 17 00:00:00 2001 From: Amit Pundir Date: Fri, 30 Oct 2015 00:47:53 +0530 Subject: SELinux: build fix for 4.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit "SELinux: Enable setting security contexts on rootfs inodes." cherry-picked in experimental/android-4.1 used a now obsolete flag SE_SBLABELSUPP. Rename it to SBLABEL_MNT as intended by upstream commit 12f348b9dcf6 "SELinux: rename SE_SBLABELSUPP to SBLABEL_MNT", otherwise we run into following build error: CC security/selinux/hooks.o security/selinux/hooks.c: In function ‘sb_finish_set_opts’: security/selinux/hooks.c:459:19: error: ‘SE_SBLABELSUPP’ undeclared (first use in this function) sbsec->flags |= SE_SBLABELSUPP; ^ security/selinux/hooks.c:459:19: note: each undeclared identifier is reported only once for each function it appears in make[2]: *** [security/selinux/hooks.o] Error 1 Signed-off-by: Amit Pundir --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/selinux/hooks.c') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0ff911a94757..7c22a15c7e4b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -469,7 +469,7 @@ static int sb_finish_set_opts(struct super_block *sb) * setting SELinux context on in-core inodes. */ if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0) - sbsec->flags |= SE_SBLABELSUPP; + sbsec->flags |= SBLABEL_MNT; /* Initialize the root inode. */ rc = inode_doinit_with_dentry(root_inode, root); -- cgit v1.2.3