From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755925AbdDMAMO (ORCPT ); Wed, 12 Apr 2017 20:12:14 -0400 Received: from nm10-vm5.bullet.mail.ne1.yahoo.com ([98.138.91.232]:50429 "EHLO nm10-vm5.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755421AbdDMAML (ORCPT ); Wed, 12 Apr 2017 20:12:11 -0400 X-Yahoo-Newman-Id: 435363.96883.bm@smtp211.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: fkQM95gVM1lZXb_Akyem7bEXYJpQ7IcKnXU94wbFcQ8Fxyn fdNKQ66Bax4ZmWIcLqVfQ8ogfxC3mVqDu5s.XRhCQeTW.lTUe4s5bj_5Xjes qdn_xJ6f.i724Px.pJPUwQn4eUBHtq5feq5RY32oTb.ZyzwaXf_wSKnX2v8x d_1EZCP3OKhXHT3gcP_BK9GuxLMiz0hn9ZBQL6.EjLvMzfaKbtXJgve93xKD CTZLN6rQfDd5IignctBnp1Ov7h2lKKJ_imBTPdrxbRbUzFLRLB5a4E7YlhPo hmZYBem_pXsrXwSu9lo2sRgg_7eKxATcsT9J6jExWMA0PX9qxLvdZbJSpSu3 ETbdA20dW6YawGbaJeYDwbu6iG_UxAOYkLDTi0D5_Ho0c1P4h4sfu.Spz0KU 8CytcPw90dTdpgDtRR4kWW2pkazVnHVOSujVz7QgfsadrRsE2tfV3ktqo3Dn d5BCrlXH3DZrwGgwXXx1SRQI9l2j6kdZCJKleNImTa4Xrk762MMZukbm8uF1 S9UXWe9Xslljgx2jfViBkrqPSRXuF5.LVDf2zOVlt_cRSPB1FBKzmpNFV0B0 .rIA- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: Re: [PATCH] selinux: add selinux_is_enforced() function To: Stephen Smalley , Sebastien Buisson References: <1491988018-4120-1-git-send-email-sbuisson@ddn.com> <1492005519.3881.8.camel@tycho.nsa.gov> <1492014798.3881.16.camel@tycho.nsa.gov> Cc: james.l.morris@oracle.com, william.c.roberts@intel.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Sebastien Buisson , selinux@tycho.nsa.gov From: Casey Schaufler Message-ID: <2ad46d79-6e81-998d-3d8b-ed26c3d52a95@schaufler-ca.com> Date: Wed, 12 Apr 2017 17:12:13 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <1492014798.3881.16.camel@tycho.nsa.gov> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/12/2017 9:33 AM, Stephen Smalley wrote: > On Wed, 2017-04-12 at 17:19 +0200, Sebastien Buisson wrote: >> 2017-04-12 15:58 GMT+02:00 Stephen Smalley : >>> Even your usage of selinux_is_enabled() looks suspect; that should >>> probably go away. Only other user of it seems to be some cred >>> validity >>> checking that could be dropped as well. >> Well the main reason for calling selinux_is_enabled() is performance >> optimization. >> Should I propose a patch to add a new security_is_enabled() function >> at the LSM abstraction layer? Or do you consider we should not test >> security enabled at all? > It isn't clear what "is enabled" means in general, particularly with > stacking. I would either drop it or replace it with a LSM hook that is > more precise. For example, NFSv4 introduced a security_ismaclabel() > hook so that it could test whether a given security.* xattr is a MAC > label. You can determine what security modules are enabled by reading /sys/kernel/security/lsm in userspace (4.11 feature). Your kernel code *really* shouldn't care what security modules are enabled. If you do care, you've designed poorly. If you're trying to ensure consistent policy between members of your cluster you're better off doing that in user space than in the kernel. > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.