korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-26 07:44:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
2651225b5e
linux/security/selinux
History
Stephen Smalley 2651225b5e selinux: wrap cgroup seclabel support with its own policy capability 
commit 1ea0ce4069 ("selinux: allow
changing labels for cgroupfs") broke the Android init program,
which looks up security contexts whenever creating directories
and attempts to assign them via setfscreatecon().
When creating subdirectories in cgroup mounts, this would previously
be ignored since cgroup did not support userspace setting of security
contexts.  However, after the commit, SELinux would attempt to honor
the requested context on cgroup directories and fail due to permission
denial.  Avoid breaking existing userspace/policy by wrapping this change
with a conditional on a new cgroup_seclabel policy capability.  This
preserves existing behavior until/unless a new policy explicitly enables
this capability.

Reported-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2017-03-02 10:27:40 +11:00
..
include selinux: wrap cgroup seclabel support with its own policy capability 2017-03-02 10:27:40 +11:00
ss selinux: wrap cgroup seclabel support with its own policy capability 2017-03-02 10:27:40 +11:00
.gitignore SELinux: add .gitignore files for dynamic classes 2009-10-24 09:42:27 +08:00
avc.c Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next 2015-08-15 13:29:57 +10:00
exports.c selinux: sparse fix: include selinux.h in exports.c 2011-09-09 16:56:32 -07:00
hooks.c selinux: wrap cgroup seclabel support with its own policy capability 2017-03-02 10:27:40 +11:00
Kconfig selinux: drop SECURITY_SELINUX_POLICYDB_VERSION_MAX 2016-08-18 20:01:15 -04:00
Makefile selinux: use absolute path to include directory 2016-01-28 10:37:15 -05:00
netif.c Merge commit 'v3.17' into next 2014-11-19 21:32:12 +11:00
netlabel.c calipso: Add a label cache. 2016-06-27 15:06:17 -04:00
netlink.c selinux: replace obsolete NLMSG_* with type safe nlmsg_* 2013-03-28 14:25:49 -04:00
netnode.c selinux: remove unused variabled in the netport, netnode, and netif caches 2014-08-07 20:55:30 -04:00
netport.c selinux: remove unused variabled in the netport, netnode, and netif caches 2014-08-07 20:55:30 -04:00
nlmsgtab.c rtnetlink: add new RTM_GETSTATS message to dump link stats 2016-04-20 15:43:42 -04:00
selinuxfs.c selinux: wrap cgroup seclabel support with its own policy capability 2017-03-02 10:27:40 +11:00
xfrm.c netfilter: Remove spurios included of netfilter.h 2015-06-18 21:14:32 +02:00