From: Stephen Smalley <sds@tycho.nsa.gov>
To: James Morris <jmorris@namei.org>
Cc: Eric Paris <eparis@redhat.com>, selinux@tycho.nsa.gov
Subject: Re: [PATCH 1/3] SELinux: fix selinux to safely handle any bugs even when not CONFIG_BUG
Date: Tue, 10 Feb 2009 10:05:18 -0500 [thread overview]
Message-ID: <1234278318.4642.54.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.LRH.1.10.0902110151340.6605@tundra.namei.org>
On Wed, 2009-02-11 at 01:52 +1100, James Morris wrote:
> On Tue, 10 Feb 2009, Eric Paris wrote:
>
> > > > +++ b/security/selinux/ss/services.c
> > > > @@ -120,16 +120,25 @@ static int constraint_expr_eval(struct context *scontext,
> > > > for (e = cexpr; e; e = e->next) {
> > > > switch (e->expr_type) {
> > > > case CEXPR_NOT:
> > > > - BUG_ON(sp < 0);
> > > > + if (unlikely(sp < 0)) {
> > > > + BUG();
> > > > + return 0;
> > > > + }
> > >
> > > General question: Should we in fact be panic'ing in these cases where
> > > we cannot return a value that will in fact abort the computation and
> > > guarantee that the operation will not proceed? Same applies to the
> > > ebitmap code. Just returning 0 (false) doesn't necessarily mean that we
> > > won't grant a permission, as the result may get negated.
> >
> > James?
>
> Perhaps panic() in enforcing mode, otherwise print a warning.
Yuck.
These are cases where we were already fine with an undefined opcode from
BUG() happening in the usual CONFIG_BUG=y case, so I'd think they could
be made unconditional panic() calls.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-02-10 15:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-09 21:37 [PATCH 1/3] SELinux: fix selinux to safely handle any bugs even when not CONFIG_BUG Eric Paris
2009-02-09 21:37 ` [PATCH 2/3] SELinux: call capabilities code directory Eric Paris
2009-02-10 14:06 ` Stephen Smalley
2009-02-10 14:30 ` Eric Paris
2009-02-09 21:37 ` [PATCH 3/3] SELinux: better printk when file with invalid label found Eric Paris
2009-02-10 14:14 ` Stephen Smalley
2009-02-10 14:30 ` Eric Paris
2009-02-10 14:59 ` Stephen Smalley
2009-02-10 14:00 ` [PATCH 1/3] SELinux: fix selinux to safely handle any bugs even when not CONFIG_BUG Stephen Smalley
2009-02-10 14:39 ` Eric Paris
2009-02-10 14:52 ` James Morris
2009-02-10 15:05 ` Stephen Smalley [this message]
2009-02-10 16:37 ` Paul Moore
2009-02-12 22:56 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1234278318.4642.54.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.