From: "Schaufler, Casey" <casey.schaufler@intel.com>
To: Arnd Bergmann <arnd@arndb.de>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: James Morris <jamorris@linux.microsoft.com>,
Anders Roxell <anders.roxell@linaro.org>,
Alexei Starovoitov <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
LKML <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
bpf <bpf@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: RE: [PATCH] security: fix the default value of secid_to_secctx hook
Date: Mon, 18 May 2020 21:43:04 +0000 [thread overview]
Message-ID: <CY4PR11MB17990BA2B00B4CEB167057C9FDB80@CY4PR11MB1799.namprd11.prod.outlook.com> (raw)
In-Reply-To: <CAK8P3a3CBtitXnzQf3gLx4mXuvDoVZiwwi33iCDNvtG-0jBSwQ@mail.gmail.com>
> -----Original Message-----
> From: linux-kernel-owner@vger.kernel.org <linux-kernel-
> owner@vger.kernel.org> On Behalf Of Arnd Bergmann
> Sent: Saturday, May 16, 2020 1:05 AM
> To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
> Cc: James Morris <jamorris@linux.microsoft.com>; Anders Roxell
> <anders.roxell@linaro.org>; Alexei Starovoitov <ast@kernel.org>; Daniel
> Borkmann <daniel@iogearbox.net>; LKML <linux-kernel@vger.kernel.org>;
> Network Development <netdev@vger.kernel.org>; bpf
> <bpf@vger.kernel.org>
> Subject: Re: [PATCH] security: fix the default value of secid_to_secctx hook
I would *really* appreciate it if discussions about the LSM infrastructure
where done on the linux-security-module mail list. (added to CC).
>
> On Sat, May 16, 2020 at 1:29 AM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
> >
> > On Thu, May 14, 2020 at 12:47 PM Alexei Starovoitov
> > <alexei.starovoitov@gmail.com> wrote:
> > >
> > > On Thu, May 14, 2020 at 12:43 PM James Morris
> > > <jamorris@linux.microsoft.com> wrote:
> > > >
> > > > On Wed, 13 May 2020, Alexei Starovoitov wrote:
> > > >
> > > > > James,
> > > > >
> > > > > since you took the previous similar patch are you going to pick this
> > > > > one up as well?
> > > > > Or we can route it via bpf tree to Linus asap.
> > > >
> > > > Routing via your tree is fine.
> > >
> > > Perfect.
> > > Applied to bpf tree. Thanks everyone.
> >
> > Looks like it was a wrong fix.
> > It breaks audit like this:
> > sudo auditctl -e 0
> > [ 88.400296] audit: error in audit_log_task_context
> > [ 88.400976] audit: error in audit_log_task_context
> > [ 88.401597] audit: type=1305 audit(1589584951.198:89): op=set
> > audit_enabled=0 old=1 auid=0 ses=1 res=0
> > [ 88.402691] audit: type=1300 audit(1589584951.198:89):
> > arch=c000003e syscall=44 success=yes exit=52 a0=3 a1=7ffe42a37400
> > a2=34 a3=0 items=0 ppid=2250 pid=2251 auid=0 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 se)
> > [ 88.405587] audit: type=1327 audit(1589584951.198:89):
> > proctitle=617564697463746C002D650030
> > Error sending enable request (Operation not supported)
> >
> > when CONFIG_LSM= has "bpf" in it.
>
> Do you have more than one LSM enabled? It looks like
> the problem with security_secid_to_secctx() is now that it
> returns an error if any of the LSMs fail and the caller expects
> it to succeed if at least one of them sets the secdata pointer.
>
> The problem earlier was that the call succeeded even though
> no LSM had set the pointer.
>
> What is the behavior we actually expect from this function if
> multiple LSM are loaded?
>
> Arnd
next prev parent reply other threads:[~2020-05-18 21:43 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-12 17:46 [PATCH] security: fix the default value of secid_to_secctx hook Anders Roxell
2020-05-13 17:22 ` Alexei Starovoitov
2020-05-14 19:43 ` James Morris
2020-05-14 19:47 ` Alexei Starovoitov
2020-05-15 23:29 ` Alexei Starovoitov
2020-05-16 8:04 ` Arnd Bergmann
2020-05-18 21:43 ` Schaufler, Casey [this message]
2020-05-18 22:02 ` Casey Schaufler
2020-05-14 19:41 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CY4PR11MB17990BA2B00B4CEB167057C9FDB80@CY4PR11MB1799.namprd11.prod.outlook.com \
--to=casey.schaufler@intel.com \
--cc=alexei.starovoitov@gmail.com \
--cc=anders.roxell@linaro.org \
--cc=arnd@arndb.de \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jamorris@linux.microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).