From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>, SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH v2] selinux: remove unused initial SIDs and improve handling
Date: Fri, 14 Feb 2020 08:23:41 -0500 [thread overview]
Message-ID: <f9f12adf-51b1-3ba5-fef2-f290b69d974e@tycho.nsa.gov> (raw)
In-Reply-To: <CAFqZXNsk_fyPuLDz-jtjtjzJR5rZmBAKgFzPk3Z0y35ahyaeRw@mail.gmail.com>
On 2/14/20 7:46 AM, Ondrej Mosnacek wrote:
> On Wed, Jan 29, 2020 at 5:42 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> Fully decoupling the policy and kernel initial SID values will
>> require introducing a mapping between them and dyhamically
>
> Nit: s/dyhamically/dynamically/
Ah, thanks; will fix if I need to re-spin.
>> - if (c->sid[0] == SECSID_NULL || c->sid[0] > SECINITSID_NUM) {
>> - pr_err("SELinux: Initial SID %s out of range.\n",
>> - c->u.name);
>> + u32 sid = c->sid[0];
>> + const char *name = security_get_initial_sid_context(sid);
>> +
>> + if (sid == SECSID_NULL) {
>> + pr_err("SELinux: SID null was assigned a context.\n");
>> sidtab_destroy(s);
>> goto out;
>> }
>
> Your sentence "Stop treating it as an error if a policy defines
> additional initial SIDs unknown to the kernel." and the removed check
> for > SECINITSID_NUM suggest that you intend to not treat this
> condition as an error, but sidtab_set_initial() called bellow will
> reject such SID with -ENIVAL. Or am I misreading it and you just
> wanted to remove the duplicate check?
The comment and if statement below will cause it to ignore any initial
SIDs unused by the kernel, whether they are ones <= SECINITSID_NUM whose
names have been dropped and replaced by NULL or ones > SECINITSID_NUM.
security_get_initial_sid_context() returns NULL for anything >
SECINITSID_NUM.
>
>> +
>> + /* Ignore initial SIDs unused by this kernel. */
>> + if (!name)
>> + continue;
>> +
next prev parent reply other threads:[~2020-02-14 13:22 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-29 16:42 [PATCH v2] selinux: remove unused initial SIDs and improve handling Stephen Smalley
2020-02-13 14:13 ` Stephen Smalley
2020-02-13 22:34 ` Paul Moore
2020-02-14 13:19 ` Stephen Smalley
2020-02-14 8:54 ` Dominick Grift
2020-02-14 12:46 ` Ondrej Mosnacek
2020-02-14 13:23 ` Stephen Smalley [this message]
2020-02-14 13:25 ` Ondrej Mosnacek
2020-02-22 21:33 ` Paul Moore
[not found] ` <63a0ca0b-e791-2607-ed94-94b67308cb3c@tycho.nsa.gov>
2020-02-25 1:51 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f9f12adf-51b1-3ba5-fef2-f290b69d974e@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.