SELinux: Enable setting security contexts on rootfs inodes.

rootfs (ramfs) can support setting of security contexts by userspace due to the vfs fallback behavior of calling the security module to set the in-core inode state for security.* attributes when the filesystem does not provide an xattr handler. No xattr handler required as the inodes are pinned in memory and have no backing store. This is useful in allowing early userspace to label individual files within a rootfs while still providing a policy-defined default via genfs. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com>
author: Stephen Smalley <sds@tycho.nsa.gov> 2013-07-23 17:38:41 -0400
committer: Greg Hackmann <ghackmann@google.com> 2014-06-24 20:35:19 +0000
commit: 364a09b74ecbcee9411c3677212f0392d3c876de (patch)
tree: 1d16c63b7516a63cec5c4fd20c524116a3a7548c /security
parent: f6f56efe7de93cd091ee456921a6043da370c22a (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 44087388010..a8de30bd733 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -422,6 +422,13 @@ static int sb_finish_set_opts(struct super_block *sb)
 	if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
 		sbsec->flags |= SE_SBLABELSUPP;
 
+	/*
+	 * Special handling for rootfs. Is genfs but supports
+	 * setting SELinux context on in-core inodes.
+	 */
+	if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
+		sbsec->flags |= SE_SBLABELSUPP;
+
 	/* Initialize the root inode. */
 	rc = inode_doinit_with_dentry(root_inode, root);
author	Stephen Smalley <sds@tycho.nsa.gov>	2013-07-23 17:38:41 -0400
committer	Greg Hackmann <ghackmann@google.com>	2014-06-24 20:35:19 +0000
commit	364a09b74ecbcee9411c3677212f0392d3c876de (patch)
tree	1d16c63b7516a63cec5c4fd20c524116a3a7548c /security
parent	f6f56efe7de93cd091ee456921a6043da370c22a (diff)