Re: [PATCH] Capture selinux subject/object context information.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2006-03-27 at 02:28 -0500, James Morris wrote:
> On Sat, 25 Mar 2006, Linux Kernel Mailing List wrote:
> 
> > commit 8c8570fb8feef2bc166bee75a85748b25cda22d9
> > tree ed783d405ea9d5f3d3ccc57fb56c7b7cb2cdfb82
> > parent c8edc80c8b8c397c53f4f659a05b9ea6208029bf
> > author Dustin Kirkland <[email protected]> Thu, 03 Nov 2005 17:15:16 +0000
> > committer Al Viro <[email protected]> Tue, 21 Mar 2006 00:08:54 -0500
> > 
> > [PATCH] Capture selinux subject/object context information.
> > 
> 
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -869,6 +869,11 @@ struct swap_info_struct;
> >   *	@ipcp contains the kernel IPC permission structure
> >   *	@flag contains the desired (requested) permission set
> >   *	Return 0 if permission is granted.
> > + * @ipc_getsecurity:
> > + *      Copy the security label associated with the ipc object into
> > + *      @buffer.  @buffer may be NULL to request the size of the buffer 
> > + *      required.  @size indicates the size of @buffer in bytes. Return 
> > + *      number of bytes used/required on success.
> 
> I may have missed it, but was this change discussed on the LSM list?

No, it was discussed on redhat-lspp and linux-audit.

> 
> > +	char *(*inode_xattr_getsuffix) (void);
> 
> Not documented?
> 
> >  static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
> 
> > -	if (err > 0) {
> > -		if ((len == err) && !(memcmp(context, buffer, len))) {
> > -			/* Don't need to canonicalize value */
> > -			rc = err;
> > -			goto out_free;
> > -		}
> > -		memset(buffer, 0, size);
> > -	}
> 
> Where did this functionality go?

I raised the same concern in Dec (subj: audit patches in -mm that alter
current SELinux behavior), but concluded that falling through to
selinux_getsecurity() in all cases does no harm and the real cost here
is in the generation of the context string, so we don't save much by the
shortcut that was removed above.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux