From: Ondrej Mosnacek <omosnace@redhat.com>
To: Tejun Heo <tj@kernel.org>
Cc: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org
Subject: Re: [PATCH v6 5/5] kernfs: initialize security of newly created nodes
Date: Fri, 15 Feb 2019 16:45:44 +0100 [thread overview]
Message-ID: <CAFqZXNuOg9ex_WqCCKYzPQSeqbGmo-KP4Yh9TB4bbMZziG314A@mail.gmail.com> (raw)
In-Reply-To: <20190214154854.GO50184@devbig004.ftw2.facebook.com>
On Thu, Feb 14, 2019 at 4:49 PM Tejun Heo <tj@kernel.org> wrote:
> On Thu, Feb 14, 2019 at 10:50:15AM +0100, Ondrej Mosnacek wrote:
> > +static int kernfs_node_init_security(struct kernfs_node *parent,
> > + struct kernfs_node *kn)
>
> Can we skip the whole thing if security is not enabled?
Do you mean just skipping the whole part when CONFIG_SECURITY=n? That
is easy to do and I can add it in the next respin (although the
compiler should be able to optimize most of it out in that case).
If you mean dynamically checking if calling the hook would actually do
anything (i.e. if any LSM actually registered that particular hook),
then that should also be possible (just check if
security_hook_heads.kernfs_init_security is a non-empty list), but I'm
not sure if that wouldn't be too hacky...
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
next prev parent reply other threads:[~2019-02-15 15:45 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-14 9:50 [PATCH v6 0/5] Allow initializing the kernfs node's secctx based on its parent Ondrej Mosnacek
2019-02-14 9:50 ` [PATCH v6 1/5] selinux: try security xattr after genfs for kernfs filesystems Ondrej Mosnacek
2019-02-14 20:49 ` Stephen Smalley
2019-02-15 15:48 ` Ondrej Mosnacek
2019-02-14 9:50 ` [PATCH v6 2/5] kernfs: use simple_xattrs for security attributes Ondrej Mosnacek
2019-02-14 9:50 ` [PATCH v6 3/5] LSM: add new hook for kernfs node initialization Ondrej Mosnacek
2019-02-14 9:50 ` [PATCH v6 4/5] selinux: implement the kernfs_init_security hook Ondrej Mosnacek
2019-02-14 9:50 ` [PATCH v6 5/5] kernfs: initialize security of newly created nodes Ondrej Mosnacek
2019-02-14 15:48 ` Tejun Heo
2019-02-15 15:45 ` Ondrej Mosnacek [this message]
2019-02-15 15:50 ` Tejun Heo
2019-02-18 10:03 ` Ondrej Mosnacek
2019-02-18 21:02 ` Tejun Heo
2019-02-19 0:28 ` Casey Schaufler
2019-02-19 14:10 ` Ondrej Mosnacek
2019-02-19 14:21 ` Tejun Heo
2019-02-19 16:43 ` Casey Schaufler
2019-02-21 9:13 ` Ondrej Mosnacek
2019-02-21 16:52 ` Casey Schaufler
2019-02-22 12:52 ` Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFqZXNuOg9ex_WqCCKYzPQSeqbGmo-KP4Yh9TB4bbMZziG314A@mail.gmail.com \
--to=omosnace@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=cgroups@vger.kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).