From: Mike Palmiotto <mike.palmiotto@crunchydata.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] libselinux: Use sestatus if open
Date: Wed, 15 Jul 2020 12:04:41 -0400 [thread overview]
Message-ID: <CAMN686F4uT7__dvy22V_Y9_zqd6ckw=14gs6RcExuT-3ru6NtA@mail.gmail.com> (raw)
In-Reply-To: <CAMN686HGb5-TmKAa3h+eof6a451CMa7Qd9n5F9FX_ozw31BWAg@mail.gmail.com>
On Tue, Jul 14, 2020 at 6:42 PM Mike Palmiotto
<mike.palmiotto@crunchydata.com> wrote:
>
> On Tue, Jul 14, 2020 at 5:35 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Tue, Jul 14, 2020 at 5:20 PM Mike Palmiotto
> > <mike.palmiotto@crunchydata.com> wrote:
<snip>
> > > Do you think we should go ahead and completely swap in sestatus? I was
> > > just worried about breaking userspace object managers that are
> > > currently using netlink threads by default, for instance
> > > systemd-dbusd. I can spend some more time getting those to work with
> > > the status page if you think that's worthwhile.
> >
> > I'd be interested in understanding the impact of such a change on
> > existing userspace object managers. If we can switch the default
> > behavior for applications that are not explicitly using
> > avc_netlink_*() interfaces themselves (e.g. they are only using
> > selinux_check_access or avc_has_perm), then that would be beneficial
> > since I think it fully removes the need for a system call on the AVC
> > cache-hit code path.
>
> I'll have to do a bit of digging to see how this will affect dbus, et
> al. On first blush, it looks like they're just doing
> avc_netlink_check_nb() in their watch thread. Presumably other object
> managers are doing something similar so we would just need to make
> sure there is a netlink fd available.
So it looks like dbus (at least) is directly checking for a netlink
socket[1], so just doing away with the avc_netlink_open call wouldn't
work out. My thinking is we have two options:
1) Add a new seopt to use sestatus and let userspace object managers opt-in
2) Call both selinux_status_open and avc_netlink_open in
avc_init_internal. This would satisfy the hard requirement for a
netlink socket. Then we can default to using sestatus in all of the
netlink processing paths, as you suggested in your last reply. We
could
Option 2 seems better from the standpoint of using sestatus by
default, but it looks like recvfrom will never be called and the
messages will just sit in kernel memory.
I'm inclined to go with option 1 at this point.
[1] https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/selinux.c#L269
--
Mike Palmiotto
https://crunchydata.com
next prev parent reply other threads:[~2020-07-15 16:06 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 20:29 [PATCH] libselinux: Use sestatus if open Mike Palmiotto
2020-07-14 20:29 ` Mike Palmiotto
2020-07-14 21:03 ` Stephen Smalley
2020-07-14 21:20 ` Mike Palmiotto
2020-07-14 21:35 ` Stephen Smalley
2020-07-14 22:42 ` Mike Palmiotto
2020-07-15 16:04 ` Mike Palmiotto [this message]
2020-07-15 16:49 ` Stephen Smalley
2020-07-15 17:10 ` Mike Palmiotto
2020-07-15 18:52 ` Mike Palmiotto
2020-07-15 19:49 ` Stephen Smalley
2020-07-15 22:45 ` Mike Palmiotto
2020-07-16 12:39 ` Stephen Smalley
2020-07-16 13:36 ` Mike Palmiotto
2020-07-16 15:12 ` Stephen Smalley
2020-07-16 15:27 ` Stephen Smalley
2020-07-16 15:44 ` Mike Palmiotto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMN686F4uT7__dvy22V_Y9_zqd6ckw=14gs6RcExuT-3ru6NtA@mail.gmail.com' \
--to=mike.palmiotto@crunchydata.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.