diff options
author | Vivek Goyal <vgoyal@redhat.com> | 2022-02-08 15:48:11 -0500 |
---|---|---|
committer | Dr. David Alan Gilbert <dgilbert@redhat.com> | 2022-02-17 17:22:26 +0000 |
commit | 0c3f81e13184ef0dc4b7c1a2afc15cb77fdad99b (patch) | |
tree | a6203c33fbd18aa0d5b19846969a95cba2f960e6 /fsdev | |
parent | cb282e556acef3764adde88701ec923a0731bc56 (diff) | |
download | qemu-0c3f81e13184ef0dc4b7c1a2afc15cb77fdad99b.zip qemu-0c3f81e13184ef0dc4b7c1a2afc15cb77fdad99b.tar.gz qemu-0c3f81e13184ef0dc4b7c1a2afc15cb77fdad99b.tar.bz2 |
virtiofsd: Create new file with security context
This patch adds support for creating new file with security context
as sent by client. It basically takes three paths.
- If no security context enabled, then it continues to create files without
security context.
- If security context is enabled and but security.selinux has not been
remapped, then it uses /proc/thread-self/attr/fscreate knob to set
security context and then create the file. This will make sure that
newly created file gets the security context as set in "fscreate" and
this is atomic w.r.t file creation.
This is useful and host and guest SELinux policies don't conflict and
can work with each other. In that case, guest security.selinux xattr
is not remapped and it is passthrough as "security.selinux" xattr
on host.
- If security context is enabled but security.selinux xattr has been
remapped to something else, then it first creates the file and then
uses setxattr() to set the remapped xattr with the security context.
This is a non-atomic operation w.r.t file creation.
This mode will be most versatile and allow host and guest to have their
own separate SELinux xattrs and have their own separate SELinux policies.
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Message-Id: <20220208204813.682906-9-vgoyal@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Diffstat (limited to 'fsdev')
0 files changed, 0 insertions, 0 deletions