| Message ID | 20170202152257.30220-1-runcom@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
We need this patch set to tighten security inside of containers to only allow certain directories in the cgroup file system to be used by the containers. In order to make this work, SELinux policy also needs to be modified. On 02/02/2017 10:22 AM, Antonio Murdaca wrote: > This patch allows changing labels for cgroup mounts. Previously, running > chcon on cgroupfs would throw an "Operation not supported". This patch > specifically whitelist cgroupfs. > > The patch could also allow containers to write only to the systemd cgroup > for instance, while the other cgroups are kept with cgroup_t label. > > Signed-off-by: Antonio Murdaca <runcom@redhat.com> > --- > Changes in v2: > - whitelist cgroup2 fs type > > security/selinux/hooks.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 3b955c6..2789f0a 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -480,6 +480,8 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) > sbsec->behavior == SECURITY_FS_USE_NATIVE || > /* Special handling. Genfs but also in-core setxattr handler */ > !strcmp(sb->s_type->name, "sysfs") || > + !strcmp(sb->s_type->name, "cgroup") || > + !strcmp(sb->s_type->name, "cgroup2") || > !strcmp(sb->s_type->name, "pstore") || > !strcmp(sb->s_type->name, "debugfs") || > !strcmp(sb->s_type->name, "tracefs") ||
On Thu, 2017-02-02 at 16:22 +0100, Antonio Murdaca wrote: > This patch allows changing labels for cgroup mounts. Previously, > running > chcon on cgroupfs would throw an "Operation not supported". This > patch > specifically whitelist cgroupfs. > > The patch could also allow containers to write only to the systemd > cgroup > for instance, while the other cgroups are kept with cgroup_t label. > > Signed-off-by: Antonio Murdaca <runcom@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > Changes in v2: > - whitelist cgroup2 fs type > > security/selinux/hooks.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 3b955c6..2789f0a 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -480,6 +480,8 @@ static int selinux_is_sblabel_mnt(struct > super_block *sb) > sbsec->behavior == SECURITY_FS_USE_NATIVE || > /* Special handling. Genfs but also in-core setxattr > handler */ > !strcmp(sb->s_type->name, "sysfs") || > + !strcmp(sb->s_type->name, "cgroup") || > + !strcmp(sb->s_type->name, "cgroup2") || > !strcmp(sb->s_type->name, "pstore") || > !strcmp(sb->s_type->name, "debugfs") || > !strcmp(sb->s_type->name, "tracefs") ||
On Thu, Feb 2, 2017 at 10:22 AM, Antonio Murdaca <amurdaca@redhat.com> wrote: > This patch allows changing labels for cgroup mounts. Previously, running > chcon on cgroupfs would throw an "Operation not supported". This patch > specifically whitelist cgroupfs. > > The patch could also allow containers to write only to the systemd cgroup > for instance, while the other cgroups are kept with cgroup_t label. > > Signed-off-by: Antonio Murdaca <runcom@redhat.com> > --- > Changes in v2: > - whitelist cgroup2 fs type > > security/selinux/hooks.c | 2 ++ > 1 file changed, 2 insertions(+) Merged into selinux/next, thanks. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 3b955c6..2789f0a 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -480,6 +480,8 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) > sbsec->behavior == SECURITY_FS_USE_NATIVE || > /* Special handling. Genfs but also in-core setxattr handler */ > !strcmp(sb->s_type->name, "sysfs") || > + !strcmp(sb->s_type->name, "cgroup") || > + !strcmp(sb->s_type->name, "cgroup2") || > !strcmp(sb->s_type->name, "pstore") || > !strcmp(sb->s_type->name, "debugfs") || > !strcmp(sb->s_type->name, "tracefs") || > -- > 2.9.3
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3b955c6..2789f0a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -480,6 +480,8 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) sbsec->behavior == SECURITY_FS_USE_NATIVE || /* Special handling. Genfs but also in-core setxattr handler */ !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "cgroup") || + !strcmp(sb->s_type->name, "cgroup2") || !strcmp(sb->s_type->name, "pstore") || !strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") ||
This patch allows changing labels for cgroup mounts. Previously, running chcon on cgroupfs would throw an "Operation not supported". This patch specifically whitelist cgroupfs. The patch could also allow containers to write only to the systemd cgroup for instance, while the other cgroups are kept with cgroup_t label. Signed-off-by: Antonio Murdaca <runcom@redhat.com> --- Changes in v2: - whitelist cgroup2 fs type security/selinux/hooks.c | 2 ++ 1 file changed, 2 insertions(+)