diff options
author | Ondrej Mosnacek <omosnace@redhat.com> | 2019-02-22 15:57:14 +0100 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2019-03-20 21:53:04 -0400 |
commit | b754026bd98e644f9337224ffd4201e02dfe1c43 (patch) | |
tree | 28bcd384136745922f26e5cfed3b1511d2461f9a /security/selinux/include/security.h | |
parent | d0c9c153b4bd6963c8fcccbc0caa12e8fa8d971d (diff) | |
download | lwn-b754026bd98e644f9337224ffd4201e02dfe1c43.tar.gz lwn-b754026bd98e644f9337224ffd4201e02dfe1c43.zip |
selinux: try security xattr after genfs for kernfs filesystems
Since kernfs supports the security xattr handlers, we can simply use
these to determine the inode's context, dropping the need to update it
from kernfs explicitly using a security_inode_notifysecctx() call.
We achieve this by setting a new sbsec flag SE_SBGENFS_XATTR to all
mounts that are known to use kernfs under the hood and then fetching the
xattrs after determining the fallback genfs sid in
inode_doinit_with_dentry() when this flag is set.
This will allow implementing full security xattr support in kernfs and
removing the ...notifysecctx() call in a subsequent patch.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: more manual merge fixups]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/include/security.h')
-rw-r--r-- | security/selinux/include/security.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index b5b7c5aade8c..111121281c47 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -58,6 +58,7 @@ #define SE_SBINITIALIZED 0x0100 #define SE_SBPROC 0x0200 #define SE_SBGENFS 0x0400 +#define SE_SBGENFS_XATTR 0x0800 #define CONTEXT_STR "context" #define FSCONTEXT_STR "fscontext" |