Re: [PATCH] selinux: allow kernfs symlinks to inherit parent directory context

[Stephen Smalley]

On 1/24/20 2:08 PM, Christian GÃttsche wrote:
> Am Fr., 24. Jan. 2020 um 19:53 Uhr schrieb Stephen Smalley <sds@xxxxxxxxxxxxx>:
> > On 1/24/20 1:42 PM, Christian GÃttsche wrote:
> > > Currently symlinks on kernel filesystems, like sysfs, are labeled on
> > > creation with the parent fs root sid.
> > >
> > > Allow symlinks to inherit the parent directory context, so fine-grained
> > > kernfs labeling can be applied to symlinks too and checking contexts
> > > doesn't complain about them.
> > >
> > > For backward-compatibility this behavior is contained in a new policy
> > > capability: kernfs_sovereign_symlinks
> > >
> > > Signed-off-by: Christian GÃttsche <cgzones@xxxxxxxxxxxxxx>
> > > ---

> > Not fond of the name.  1) kernfs is a kernel implementation detail,
> > shouldn't be exposed to policy; genfs is the policy construct 2)
> > sovereign doesn't seem to fit the meaning of this capability; seclabel
> > would be more appropriate.
>
> Something like genfs_seclabel_symlinks?

Works for me.

> > > +                  (sbsec->flags & SE_SBGENFS_XATTR))) {
> >
> > Why limit this to SE_SBGENFS_XATTR filesystems?  Why not just make the test:
> >          if ((sbsec->flags & SE_SBGENFS) && (!S_ISLNK(inode->i_mode) ||
> > selinux_policycap_genfs_symlinkseclabel()))
> > or similar.
>
> I somehow thought that this functionality is limited to filesystems
> with SE_SBGENFS_XATTR;
> so I can expand the check to SE_SBGENFS.

I could be wrong but I don't see why it would need to be limited in that 
way.