From: Mimi Zohar <zohar@linux.ibm.com>
To: Al Viro <viro@zeniv.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-integrity@vger.kernel.org,
James Morris James Morris <jmorris@namei.org>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ima: cleanup the match_token policy code
Date: Mon, 17 Dec 2018 22:00:07 -0500 [thread overview]
Message-ID: <1545102007.4206.15.camel@linux.ibm.com> (raw)
In-Reply-To: <20181218013348.GR2217@ZenIV.linux.org.uk>
On Tue, 2018-12-18 at 01:33 +0000, Al Viro wrote:
> On Mon, Dec 17, 2018 at 04:36:54PM -0800, Linus Torvalds wrote:
> > On Mon, Dec 17, 2018 at 4:14 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > >
> > > Start the policy_tokens and the associated enumeration from zero,
> > > simplifying the pt macro.
> >
> > I applied this directly, since I decided to just commit my own "don't
> > use negative Opt_err" patch for the test_and_set_bit() cases, and they
> > kind of go together.
> >
> > There's still a -1 in security/keys/encrypted-keys/encrypted.c, and
> > there are also three cases of "Opt_error = -1" in the security layer.
> >
> > All of which look pointless and wrong, but not actively buggy, so I'll
> > leave them alone.
>
> FWIW, that part of LSM shite is getting taken out and shot - LSM-related
> preps in the beginning of mount API series are, at the moment, at
> fs/btrfs/ctree.h | 4 -
> fs/btrfs/super.c | 82 ++-------
> fs/namespace.c | 9 +-
> fs/nfs/internal.h | 2 +-
> fs/nfs/super.c | 34 ++--
> fs/super.c | 23 +--
> include/linux/lsm_hooks.h | 17 +-
> include/linux/security.h | 82 ++-------
> security/security.c | 39 +++--
> security/selinux/hooks.c | 798 ++++++++++++++++++++++++++++++++------------------------------------------------------
> security/smack/smack_lsm.c | 359 +++++++++++++++------------------------
> 11 files changed, 523 insertions(+), 926 deletions(-)
> and unlike the original variant there's not much touched in security/*
> further in the series...
>
> No match_token() uses left in there after this part.
Could you expand on commit 5b2ea6199614 ("selinux: switch away from
match_token()") patch description. All that it says is "It's not a
good fit, unfortunately, and the next step will make it even less so.
Open-code what we need here." And there's even less for the
equivalent Smack patch, which just says "same issue as with
selinux...".
Mimi
next prev parent reply other threads:[~2018-12-18 3:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-18 0:14 [PATCH] ima: cleanup the match_token policy code Mimi Zohar
2018-12-18 0:36 ` Linus Torvalds
2018-12-18 1:33 ` Al Viro
2018-12-18 1:40 ` Al Viro
2018-12-18 3:00 ` Mimi Zohar [this message]
2018-12-18 4:06 ` Al Viro
2018-12-18 5:04 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1545102007.4206.15.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.