mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2025-02-06 02:25:23 +00:00
d994e51b28
Writing xattrs in the security namespace requires CAP_SYS_ADMIN in the
namespace that mounted the file system. The fs device doesn't have this
capability when run in a sandbox (and in the case of the /home directory
on chrome os, will never be able to gain it).
We've been able to set selinux xattrs so far because the selinux module
relaxes the capability check in favor of an selinux-based MAC check.
However, android also wants to be able to set the "security.sehash"
xattr, which is described in the manpage as a "performance optimization"
when recursively relabeling files.
Unfortunately since the android team nacked the kernel patch[1] that
would have relaxed the requirements for just the "security.sehash"
xattr, the only option for us is to rewrite the xattr name and prefix it
with "user.virtiofs" so that it ends up in the "user." xattr namespace.
The server should always have permission to create xattrs there.
BUG=b:155443663
TEST=start a vm and successfully set the security.sehash xattr then
check on the host side that it is actually stored as
user.virtiofs.security.sehash
[1]: https://www.spinics.net/lists/selinux/msg32330.html
Change-Id: Icd17b76c946c92d92009f0cc2b8b50c92ac580c6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2243111
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
|
||
|---|---|---|
| .. | ||
| plugin | ||
| argument.rs | ||
| crosvm.rs | ||
| linux.rs | ||
| main.rs | ||
| panic_hook.rs | ||