From: Paul Moore <paul@paul-moore.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Ondrej Mosnacek <omosnace@redhat.com>,
linux-security-module@vger.kernel.org,
James Morris <jmorris@namei.org>,
Steven Rostedt <rostedt@goodmis.org>,
Ingo Molnar <mingo@redhat.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
selinux@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
x86@kernel.org, linux-acpi@vger.kernel.org,
linux-cxl@vger.kernel.org, linux-efi@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-pci@vger.kernel.org,
linux-pm@vger.kernel.org, linux-serial@vger.kernel.org,
bpf@vger.kernel.org, netdev@vger.kernel.org,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v3] lockdown,selinux: fix wrong subject in some SELinux lockdown checks
Date: Mon, 12 Jul 2021 22:34:45 -0400 [thread overview]
Message-ID: <CAHC9VhRAN4RS2c3cwpr=DQ_45MDqn2QV7nL4J3ZWXKfUNLcjdQ@mail.gmail.com> (raw)
In-Reply-To: <8735tdiyc1.ffs@nanos.tec.linutronix.de>
On Sat, Jun 19, 2021 at 1:00 PM Thomas Gleixner <tglx@linutronix.de> wrote:
> On Wed, Jun 16 2021 at 10:51, Ondrej Mosnacek wrote:
> > diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
> > index bda73cb7a044..c43a13241ae8 100644
> > --- a/arch/x86/mm/testmmiotrace.c
> > +++ b/arch/x86/mm/testmmiotrace.c
> > @@ -116,7 +116,7 @@ static void do_test_bulk_ioremapping(void)
> > static int __init init(void)
> > {
> > unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
> > - int ret = security_locked_down(LOCKDOWN_MMIOTRACE);
> > + int ret = security_locked_down(current_cred(), LOCKDOWN_MMIOTRACE);
>
> I have no real objection to those patches, but it strikes me odd that
> out of the 62 changed places 58 have 'current_cred()' and 4 have NULL as
> argument.
>
> I can't see why this would ever end up with anything else than
> current_cred() or NULL and NULL being the 'special' case. So why not
> having security_locked_down_no_cred() and make current_cred() implicit
> for security_locked_down() which avoids most of the churn and just makes
> the special cases special. I might be missing something though.
Unfortunately it is not uncommon for kernel subsystems to add, move,
or otherwise play around with LSM hooks without checking with the LSM
folks; generally this is okay, but there have been a few problems in
the past and I try to keep that in mind when we are introducing new
hooks or modifying existing ones. If we have two LSM hooks for
roughly the same control point it has the potential to cause
confusion, e.g. do I use the "normal" or the "no_cred" version? What
if I don't want to pass a credential, can I just use "no_cred"? My
thinking with the single, always-pass-a-cred function is that callers
don't have to worry about choosing from multiple, similar hooks and
they know they need to pass a cred which hopefully gets them thinking
about what cred is appropriate. It's not foolproof, but I believe the
single hook approach will be less prone to accidents ... or so I hope
:)
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2021-07-13 2:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-16 8:51 [PATCH v3] lockdown,selinux: fix wrong subject in some SELinux lockdown checks Ondrej Mosnacek
2021-06-18 3:40 ` Paul Moore
2021-08-31 9:08 ` Ondrej Mosnacek
2021-08-31 13:49 ` Paul Moore
2021-06-18 22:18 ` Dan Williams
2021-08-31 9:09 ` Ondrej Mosnacek
2021-08-31 13:53 ` Paul Moore
2021-08-31 18:58 ` Dan Williams
2021-08-31 18:59 ` Paul Moore
2021-06-19 17:00 ` Thomas Gleixner
2021-07-13 2:34 ` Paul Moore [this message]
2021-06-21 8:35 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhRAN4RS2c3cwpr=DQ_45MDqn2QV7nL4J3ZWXKfUNLcjdQ@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=bpf@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).