From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755262AbdDLQ3e (ORCPT ); Wed, 12 Apr 2017 12:29:34 -0400 Received: from emsm-gh1-uea10.nsa.gov ([8.44.101.8]:43106 "EHLO emsm-gh1-uea10.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755070AbdDLQ31 (ORCPT ); Wed, 12 Apr 2017 12:29:27 -0400 X-IronPort-AV: E=Sophos;i="5.37,191,1488844800"; d="scan'208";a="5886267" IronPort-PHdr: =?us-ascii?q?9a23=3AU3ovchFK+sJFZANZT8tisp1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ76pMqybnLW6fgltlLVR4KTs6sC0LuI9fm+Ejxfqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRo?= =?us-ascii?q?LerpBIHSk9631+ev8JHPfglEnjSwbLdzIRmssAnct8YajIhgJ60s1hbHv3xEdv?= =?us-ascii?q?hMy2h1P1yThRH85smx/J5n7Stdvu8q+tBDX6vnYak2VKRUAzs6PW874s3rrgTD?= =?us-ascii?q?QhCU5nQASGUWkwFHDBbD4RrnQ5r+qCr6tu562CmHIc37SK0/VDq+46t3ThLjlT?= =?us-ascii?q?wKPCAl/m7JlsNwjbpboBO/qBx5347Ue5yeOP5ncq/AYd8WWW9NU8BfWCxbBoO3?= =?us-ascii?q?cpUBAewPM+1Fq4XxvkUCoQe7CQSqGejhyCJHhmXu0KM5zuovER/I0gIiENIAt3?= =?us-ascii?q?TbsNL7O6gdX+2u0KnFzi/OY+9M1Dvh6oXFdA0qr/GWXbJ3dMrc0VQhFx/bgVWI?= =?us-ascii?q?qYzqITWV3fkQvWie9eVgUeavhHAnqgpspTWv3dojipLSi4IJylHL6SV5wIEvKd?= =?us-ascii?q?2+U050e8SoEJRXtyGELoZ7RN4pTWJwuCsi17ELtpG2cDIKxZg63RLTdfOKf5aS?= =?us-ascii?q?7h7+UuuaPC12i2h/eL2lgha/6U2gyurhWcaqyFtKtS9FksXUtnAKyhzT9tCLSv?= =?us-ascii?q?tj8Uel3jaCzxzT5fteIUA1iKrbMIQtwqIwl5UPsUTDGTX6mEPqg6+Nakoo4O2o?= =?us-ascii?q?6+XjYrn+p5+cMZF7ih3mP6gzlcGyDv40PwgTU2SB5+ix26Pv8VfkTLlSi/05iK?= =?us-ascii?q?jZsJTUJcQBoa65BhdY0p0+5BakFDqmzNQZkmUHLFJCYh6HiZPpNEvULPD3Cve/?= =?us-ascii?q?nUygkC13yPDeIr3hHpLNI2DYkLj6YLZ96lVcyBE0zdBZ/J9bF6wOIPTpVkDts9?= =?us-ascii?q?zYCwczMxaozOb/FNV9yoQeVHqXAqCDLaPStUSF5vo1LOmRYI8ZoTP9K/8i5/70?= =?us-ascii?q?k3A1g0MSfa6s3ZEPcnC3AuxmI1mFYXrrmtoOD38KsRAkTOzrk12PSiZTaGyoX6?= =?us-ascii?q?I9/TE7EIamAp3fSY+zmrCB2z27HpJObGBcFl+MCWvod5mDW/oUaiKdOMphnSIf?= =?us-ascii?q?VbS7T48tzxSutAjgy7p9L+rU4TYVtZX51Ndv++LTkQ89+SZoAMSa1mGHV3t0kX?= =?us-ascii?q?8QRz8qwKB/plRwykyd3qhijPxXC8de5/NTXQc+MZ7dz+p6B8ruVQLGe9eDUEym?= =?us-ascii?q?Tcm+ATEtUtIxxMcDYkh8G9WmihDD3jClA7oPm7OXHpA06KXc0GPvKMZn13bGz7?= =?us-ascii?q?Isj1ggQstTK2KmgrRz+BTUB47Mi0+ZjbqldbwA3C7R82eO1W6OvEBeUA5tXqTJ?= =?us-ascii?q?RHMfaVXMrdT/+EzCS6SjCaooMgRf086OMKhKZcPzjVVAWvjjPM7SY2Wrm2e/HR?= =?us-ascii?q?yI3K+DbJL2e2UB2yXQEEwEkwEV/XabOgkyHzyhrHzCAzxzD1LvYl/s8OlnpHO+?= =?us-ascii?q?SU870hyKb0l/2Leu5B4ViuKTS+kJ0rIHpighsTN0E0i5397MDNqAvQVhdr1GYd?= =?us-ascii?q?wh+FdHyX7ZtwtlM5y4KqBigVkecx5psE71zRV4FJhPkcgwo3M21gZ9NaWY0FZZ?= =?us-ascii?q?fTOCwZ/wIqHXKnX1/B23cK7ZwUze0NeN+qcU7/Q4rU/vsxy0GUok6Hhn3NxV3G?= =?us-ascii?q?Gd5pXOFgYdTZXxUkNkvyR98orXaCAm+4LZ0zVGLKivqTjEk4YyDvYk0Q2neZFT?= =?us-ascii?q?PKWsGwr7EslcDM+rfr8EgV+sOykYMfhS+ah8BMavc/+Lyeb/J+p7tC63hmRApo?= =?us-ascii?q?Zm2wSD8DQqGb2A5IoM3/zNhljPbDz7llr095mtwY0=3D?= X-IPAS-Result: =?us-ascii?q?A2GrBgALVe5Y/wHyM5BcHAEBBAEBCgEBFwEBBAEBCgEBgn8?= =?us-ascii?q?pgWyDZpo1AQEBAQEBBoEjkH2Ga4YkAoQBVwEBAQEBAQEBAgECaCiCMyIBgkABB?= =?us-ascii?q?SMPAUYQCw0BCgICJgICVwYTiAWCBA2obYImJgKKaAEBAQEBBQEBAQEBI4ELhQC?= =?us-ascii?q?FOodcgl8FnQqSYYp+hkZIkzpYgQUcCQIUCB4PhzckNYkiAQEB?= Message-ID: <1492014798.3881.16.camel@tycho.nsa.gov> Subject: Re: [PATCH] selinux: add selinux_is_enforced() function From: Stephen Smalley To: Sebastien Buisson Cc: Paul Moore , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, william.c.roberts@intel.com, serge@hallyn.com, james.l.morris@oracle.com, Eric Paris , Paul Moore , Sebastien Buisson Date: Wed, 12 Apr 2017 12:33:18 -0400 In-Reply-To: References: <1491988018-4120-1-git-send-email-sbuisson@ddn.com> <1492005519.3881.8.camel@tycho.nsa.gov> Organization: National Security Agency Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2017-04-12 at 17:19 +0200, Sebastien Buisson wrote: > 2017-04-12 15:58 GMT+02:00 Stephen Smalley : > > Even your usage of selinux_is_enabled() looks suspect; that should > > probably go away.  Only other user of it seems to be some cred > > validity > > checking that could be dropped as well. > > Well the main reason for calling selinux_is_enabled() is performance > optimization. > Should I propose a patch to add a new security_is_enabled() function > at the LSM abstraction layer? Or do you consider we should not test > security enabled at all? It isn't clear what "is enabled" means in general, particularly with stacking. I would either drop it or replace it with a LSM hook that is more precise. For example, NFSv4 introduced a security_ismaclabel() hook so that it could test whether a given security.* xattr is a MAC label.