From: Richard Haines <richard_c_haines@btinternet.com>
To: dhowells@redhat.com
Cc: selinux@vger.kernel.org, sds@tycho.nsa.gov, paul@paul-moore.com,
Richard Haines <richard_c_haines@btinternet.com>
Subject: [RFC PATCH 0/1] selinux: Add support for new key permissions
Date: Thu, 20 Feb 2020 18:10:30 +0000 [thread overview]
Message-ID: <20200220181031.156674-1-richard_c_haines@btinternet.com> (raw)
I've been running this patch on my system for a few weeks now with no
problems, therefore I conclude that the key service only passes one
permission at a time.
Listed below is the output from the kernel logs regarding the permission
translations.
key_perms polcap = 0
entry_perm: 0x0001 exit_perm: 0x0001 view
entry_perm: 0x0002 exit_perm: 0x0002 read
entry_perm: 0x0004 exit_perm: 0x0004 write
entry_perm: 0x0008 exit_perm: 0x0008 search
entry_perm: 0x0010 exit_perm: 0x0010 link
entry_perm: 0x0020 exit_perm: 0x0020 setsec
entry_perm: 0x0040 exit_perm: 0x0008 inval/search
entry_perm: 0x0080 exit_perm: 0x0004 revoke/write
entry_perm: 0x0100 exit_perm: 0x0008 join/search
entry_perm: 0x0200 exit_perm: 0x0004 clear/write
entry_perm: 0x0400 exit_perm: 0x0010 parent_join/link
key_perms polcap = 1
entry_perm: 0x0001 exit_perm: 0x0001 view
entry_perm: 0x0002 exit_perm: 0x0002 read
entry_perm: 0x0004 exit_perm: 0x0004 write
entry_perm: 0x0008 exit_perm: 0x0008 search
entry_perm: 0x0010 exit_perm: 0x0010 link
entry_perm: 0x0020 exit_perm: 0x0020 setsec
entry_perm: 0x0040 exit_perm: 0x0080 inval
entry_perm: 0x0080 exit_perm: 0x0100 revoke
entry_perm: 0x0100 exit_perm: 0x0200 join
entry_perm: 0x0200 exit_perm: 0x0400 clear
entry_perm: 0x0400 exit_perm: 0x0200 parent_join/join
<--- key.h ----> <-- av_permissions.h -->
KEY_NEED_VIEW 0x001 KEY__VIEW 0x00000001U
KEY_NEED_READ 0x002 KEY__READ 0x00000002U
KEY_NEED_WRITE 0x004 KEY__WRITE 0x00000004U
KEY_NEED_SEARCH 0x008 KEY__SEARCH 0x00000008U
KEY_NEED_LINK 0x010 KEY__LINK 0x00000010U
KEY_NEED_SETSEC 0x020 KEY__SETATTR 0x00000020U
KEY_NEED_INVAL 0x040 KEY__INVAL 0x00000080U
KEY_NEED_REVOKE 0x080 KEY__REVOKE 0x00000100U
KEY_NEED_JOIN 0x100 KEY__JOIN 0x00000200U
KEY_NEED_CLEAR 0x200 KEY__CLEAR 0x00000400U
KEY_NEED_PARENT_JOIN 0x400 KEY__JOIN 0x00000200U
Richard Haines (1):
selinux: Add support for new key permissions
security/selinux/hooks.c | 123 ++++++++++++++++------------
security/selinux/include/security.h | 10 +--
security/selinux/ss/services.c | 4 +-
3 files changed, 76 insertions(+), 61 deletions(-)
--
2.24.1
next reply other threads:[~2020-02-20 18:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-20 18:10 Richard Haines [this message]
2020-02-20 18:10 ` [RFC PATCH 1/1] selinux: Add support for new key permissions Richard Haines
[not found] ` <c5d6ae72-4f5d-fe41-c025-0eaa4616b7eb@tycho.nsa.gov>
2020-02-21 0:03 ` Paul Moore
2020-02-21 10:55 ` Richard Haines
2020-02-28 15:52 ` David Howells
2020-02-28 16:08 ` Paul Moore
2020-02-28 15:55 ` David Howells
2020-02-28 17:22 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200220181031.156674-1-richard_c_haines@btinternet.com \
--to=richard_c_haines@btinternet.com \
--cc=dhowells@redhat.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).