From: Stephen Smalley <sds@tycho.nsa.gov>
To: "William A. Kennington III" <william@wkennington.com>,
selinux@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH] selinux: Fix classmap for BPF
Date: Wed, 6 Feb 2019 09:33:01 -0500 [thread overview]
Message-ID: <3cee3c78-348f-1b10-b687-9d1ab5837716@tycho.nsa.gov> (raw)
In-Reply-To: <cebc12f0-5fb0-218c-331a-a785e2eece70@tycho.nsa.gov>
On 2/6/19 9:04 AM, Stephen Smalley wrote:
> On 2/5/19 11:17 PM, William A. Kennington III wrote:
>> Entries in the secclass_map are expexted to be null terminated. The BPF
>> entry was added without the NULL terminating and incosistent formatting.
>> This patch cleans that up.
>
> Thanks. A few minor nits:
>
> A couple of spelling errors above (expected, inconsistent). Also, per
> Documentation/process/submitting-patches.rst, rather than say "This
> patch cleans that up", say "Clean that up" or similar.
>
> Can add a:
> Fixes: ec27c3568a34c7f ("selinux: bpf: Add selinux check for eBPF
> syscall operations")
Although I guess there isn't really a bug here; this is just a
consistency / style issue. secclass_map[] is defined as:
struct security_class_mapping {
const char *name;
const char *perms[sizeof(u32) * 8 + 1];
};
struct security_class_mapping secclass_map[];
So even if you were to omit the terminating NULL from each permission
list, any remaining slots in the perms array should be initialized to
NULL automatically. We only truly need the explicit NULL terminator to
end the class list.
>
>>
>> Signed-off-by: William A. Kennington III <william@wkennington.com>
>> ---
>> security/selinux/include/classmap.h | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/security/selinux/include/classmap.h
>> b/security/selinux/include/classmap.h
>> index bd5fe0d3204a..7ff68a5e4c58 100644
>> --- a/security/selinux/include/classmap.h
>> +++ b/security/selinux/include/classmap.h
>> @@ -239,7 +239,7 @@ struct security_class_mapping secclass_map[] = {
>> { "infiniband_endport",
>> { "manage_subnet", NULL } },
>> { "bpf",
>> - {"map_create", "map_read", "map_write", "prog_load",
>> "prog_run"} },
>> + { "map_create", "map_read", "map_write", "prog_load",
>> "prog_run", NULL } },
>
> Should likely break the line to make checkpatch.pl happy:
>
> $ ./scripts/checkpatch.pl -g HEAD
> WARNING: line over 80 characters
> #24: FILE: security/selinux/include/classmap.h:242:
> + { "map_create", "map_read", "map_write", "prog_load", "prog_run",
> NULL } },
>
>
>> { "xdp_socket",
>> { COMMON_SOCK_PERMS, NULL } },
>> { NULL }
>>
>
next prev parent reply other threads:[~2019-02-06 14:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-06 4:17 [PATCH] selinux: Fix classmap for BPF William A. Kennington III
2019-02-06 14:04 ` Stephen Smalley
2019-02-06 14:33 ` Stephen Smalley [this message]
2019-02-08 2:30 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3cee3c78-348f-1b10-b687-9d1ab5837716@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=william@wkennington.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).