Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
IronPort-PHdr: =?us-ascii?q?9a23=3A87JOIxwop/ngOSnXCy+O+j09IxM/srCxBDY+r6?=
 =?us-ascii?q?Qd0ugULPad9pjvdHbS+e9qxAeQG9mCsLQe1rKd6vq8EUU7or+5+EgYd5JNUx?=
 =?us-ascii?q?JXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQ?=
 =?us-ascii?q?viPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCezbL9oMhm7rRndusYLjYd8Jas61w?=
 =?us-ascii?q?fErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2?=
 =?us-ascii?q?466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUj?=
 =?us-ascii?q?ms86tnVBnlgzocOjUn7G/YlNB/jKNDoBKguRN/xZLUYJqIP/Z6Z6/RYM8WSX?=
 =?us-ascii?q?ZEUstXWSNBGIe8ZJYRAeQHM+hTso3xq0IAoBa6AAWhAv7kxD1ViX/sxaA0zv?=
 =?us-ascii?q?ovEQ/G0gIjEdwBvnvbo9fpO6kdSu210KvFwC/fY/9K1zrw6o7FeQ0hr/GWWr?=
 =?us-ascii?q?JwdNLcx1QzFwzbllWQqZLqPzWI3eoQtmiU9e5gVeaxhG8ntgp8pSOvydo3io?=
 =?us-ascii?q?TSmoIUykzL9SV+wIovI924U1R0bcSrEJtXqSGXLo17Sd4hTWFwoCs217ILtJ?=
 =?us-ascii?q?GhcCUK1Zgr3QDTZvOZf4SS/x7uUvuaLy1ii3J/Yr2/gg6/8U2nyuLhSMa5yE?=
 =?us-ascii?q?1Kri9ZktnUsXANygDT5tCHSvRj+keh3i6C1xzJ5eFeIEA0iLHbJ4Qgwr42mJ?=
 =?us-ascii?q?oTtl/DETHql0nskK+Xdlkr+uiv6+j9ZLXpuoScOJNuhgH7M6QuntSzAeU+Mg?=
 =?us-ascii?q?cQQ2iW4fmw2bLs8EHjQLhGk+c6nrfWvZzEP8gXu7a1AwpP3YYi7xa/AS2m0N?=
 =?us-ascii?q?MdnXQfN1JKZQmHgpP1O1DOPP/4DfC/j06qkDdw3f/KJLLhApLTLnTbirfuYa?=
 =?us-ascii?q?5961JAyAo01d1f54hUCrAcL/PzQED8r9PYDhg+Mwy7x+boFs9x2Z8ZWWKKGq?=
 =?us-ascii?q?WZKr/dsUeU5uIzJOmBfJcVtyzgK/gh/PPulWU2mUIZfaWw2JsXb3e4Hu54LE?=
 =?us-ascii?q?mDfXXshdIBG38QvgUiVOzqlEGCUTlLanmsR6Iz/Cs7CIO9DYrYXoCimqaB3C?=
 =?us-ascii?q?agHp1OYmBJEEyDHmnye4WDQfcMZzqYItV9nTwcSbihV4gh2Am1tADkz7pnL+?=
 =?us-ascii?q?zU+jAXtJ/4yth16PPclQso+Tx3EcudyWeNQH9wnm8SQD82xq9/q1Rnylifya?=
 =?us-ascii?q?h4n+BYFdtL6vNNUwc6M4PczuNjB9DxRA3BZNGJR0iiQti9HzExQcw+w8UUb0?=
 =?us-ascii?q?Z+BdqilBbD0DSuA7MPkLyLHpM0+LrG33ftP8Z912rG1K45glklXMRPL2umib?=
 =?us-ascii?q?B79wTKG47GjV+Wl6OxeKsG2i7C6X2DzW2PvE5FSgJ/TaLFXXUHbEvMsdv5/l?=
 =?us-ascii?q?/CT6OpCbk/MAtO18CCKqVUatDyglVGQ/DjONvaY22vgWu/GRGIxraUZorwZ2?=
 =?us-ascii?q?odxDndCFQDkw0L5naJLww+ByegomPeCjxjDkjgY0Xx/ulkr3O7T1I7wxuWYE?=
 =?us-ascii?q?1m0rrmsiIS0NyGSv8C1/o6sSM6oi99Hkv1i9LMCtaRriJue6JTZd5761BCgz?=
 =?us-ascii?q?H3rQt4a6e8Irhii1hWSAF+u0fjxl0jEYlbudQ7p3MtigxpIOSX100XJGDQ5o?=
 =?us-ascii?q?z5JrCCcjq6xxuocaODnwiFgds=3D?=
Subject: Re: [PATCH] security: selinux: allow per-file labelling for binderfs
To:     Hridya Valsaraju <hridya@google.com>
Cc:     Paul Moore <paul@paul-moore.com>,
        Eric Paris <eparis@parisplace.org>, selinux@vger.kernel.org,
        LKML <linux-kernel@vger.kernel.org>,
        Android Kernel Team <kernel-team@android.com>,
        Jeff Vander Stoep <jeffv@google.com>,
        Mark Salyzyn <salyzyn@android.com>
References: <20200106181329.167322-1-hridya@google.com>
 <d78e4db4-5847-082c-189a-f13d7d6a6c7a@tycho.nsa.gov>
 <CA+wgaPMHWOVYo_pVeYuvj6CrQOgy9=vQco+tnGHjPX3=CLh5wA@mail.gmail.com>
From:   Stephen Smalley <sds@tycho.nsa.gov>
Message-ID: <c1354989-1e08-1433-f2c0-5984da341cf5@tycho.nsa.gov>
Date:   Mon, 6 Jan 2020 14:33:58 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.3.1
MIME-Version: 1.0
In-Reply-To: <CA+wgaPMHWOVYo_pVeYuvj6CrQOgy9=vQco+tnGHjPX3=CLh5wA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On 1/6/20 2:06 PM, Hridya Valsaraju wrote:
> On Mon, Jan 6, 2020 at 10:33 AM 'Stephen Smalley' via kernel-team
> <kernel-team@android.com> wrote:
>>
>> On 1/6/20 1:13 PM, Hridya Valsaraju wrote:
>>> This patch allows genfscon per-file labeling for binderfs.
>>> This is required to have separate permissions to allow
>>> access to binder, hwbinder and vndbinder devices which are
>>> relocating to binderfs.
>>>
>>> Acked-by: Jeff Vander Stoep <jeffv@google.com>
>>> Acked-by: Mark Salyzyn <salyzyn@android.com>
>>> Signed-off-by: Hridya Valsaraju <hridya@google.com>
>>
>> Do you want binderfs to also support userspace labeling of files via
>> setxattr()?  If so, you'll want to also add it to
>> selinux_is_genfs_special_handling() as well.
> 
> Thank you for the quick response Stephen :) I cannot think of a
> use-case for the userspace labelling of files in binderfs via
> setxattr() as of now. I
> will make the change if one comes up!

Ok, then you can include my:
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

> 
> Thanks,
> Hridya
> 
> 
>>
>>> ---
>>>    security/selinux/hooks.c | 1 +
>>>    1 file changed, 1 insertion(+)
>>>
>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>> index 116b4d644f68..3f0669a708e9 100644
>>> --- a/security/selinux/hooks.c
>>> +++ b/security/selinux/hooks.c
>>> @@ -752,6 +752,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>>>
>>>        if (!strcmp(sb->s_type->name, "debugfs") ||
>>>            !strcmp(sb->s_type->name, "tracefs") ||
>>> +         !strcmp(sb->s_type->name, "binderfs") ||
>>>            !strcmp(sb->s_type->name, "pstore"))
>>>                sbsec->flags |= SE_SBGENFS;
>>>
>>>
>>
>> --
>> To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com.
>>