CHROMIUM: fuse: virtiofs: Run security hooks on new inodes
Temporary fix to allow user builds to work. Remove after https://chromium-review.googlesource.com/c/crosvm/crosvm/+/4979355 is merged. This replaces the FROMLIST patches that were providing the same behavior. Since those patches are basically being ignored by the maintainer and they change the protocol, we can't really maintain them long term. Upstream has already landed another change that uses the same feature bit for a different feature. This patch implements the same behavior without changing the public interface by using security_inode_init_security instead of security_dentry_init_security. One downside of this change is that security xattrs are not applied atomically on creation on the host. However they are still atomic from the perspective of the guest. This isn't a big issue for arcvm because it always runs restorecon on boot anyway so even in the case of power loss, the xattrs will be set appropriately the next time arcvm boots. This behavior is always enabled for virtiofs and always disabled for regular fuse filesystems, again so that we don't need to make changes to the public protocol. BUG=b:304606864 TEST=arc.Boot.vm works with user builds [5.4-arcvm: picked from 5.4] Signed-off-by:Chirantan Ekbote <chirantan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/2581172 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/2604783 Commit-Queue: Lepton Wu <lepton@chromium.org> Reviewed-by:
Lepton Wu <lepton@chromium.org> [5.10-arcvm: context conflict resolved] Change-Id: I82d857e13fbd68a69eda80a70d2d38c08beb1921 Signed-off-by:
Hikaru Nishida <hikalium@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/2992595 Reviewed-by:
Suleiman Souhlal <suleiman@chromium.org> [arcvm-5.15-gki-base: context conflict resolved] Change-Id: Ice3990240dacb256cff2a96d343a0b14d0237028 Signed-off-by:
Richard Fung <richardfung@google.com>
Loading
Please sign in to comment