From: Paul Moore <pmoore@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Paul Osmialowski <p.osmialowsk@samsung.com>,
linux-security-module@vger.kernel.org,
Lukasz Pawelczyk <l.pawelczyk@samsung.com>,
selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH v1 1/3] lsm: introduce hooks for kdbus
Date: Fri, 25 Sep 2015 18:09:59 -0400 [thread overview]
Message-ID: <1943242.lSlvmFOviS@sifl> (raw)
In-Reply-To: <56041D53.3090806@tycho.nsa.gov>
On Thursday, September 24, 2015 11:57:07 AM Stephen Smalley wrote:
> On 09/23/2015 05:44 PM, Paul Moore wrote:
...
> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
> > index ef63d65..be8d210 100644
> > --- a/ipc/kdbus/connection.c
> > +++ b/ipc/kdbus/connection.c
> > @@ -26,6 +26,7 @@
> >
> > #include <linux/path.h>
> > #include <linux/poll.h>
> > #include <linux/sched.h>
> >
> > +#include <linux/security.h>
> >
> > #include <linux/shmem_fs.h>
> > #include <linux/sizes.h>
> > #include <linux/slab.h>
> >
> > @@ -213,6 +214,13 @@ static struct kdbus_conn *kdbus_conn_new(struct
> > kdbus_ep *ep,>
> > goto exit_unref;
> >
> > }
> >
> > + ret = security_kdbus_conn_new(conn->cred, creds, pids, seclabel,
> > + owner, privileged,
> > + is_activator, is_monitor,
> > + is_policy_holder);
> > + if (ret < 0)
> > + goto exit_unref;
> > +
>
> I think this could be moved up much earlier ...
All good suggestions, thank you. I've incorporated all your suggestions into
the patchset, I'll send a new version once I've addressed a few other things.
> > diff --git a/ipc/kdbus/metadata.c b/ipc/kdbus/metadata.c
> > index 71ca475..07c45d7 100644
> > --- a/ipc/kdbus/metadata.c
> > +++ b/ipc/kdbus/metadata.c
> > @@ -1182,11 +1182,9 @@ static unsigned int kdbus_proc_permission(const
> > struct pid_namespace *pid_ns,>
> > const struct cred *cred,
> > struct pid *target)
> >
> > {
> >
> > - if (pid_ns->hide_pid < 1)
> > - return KDBUS_META_PROC_NORMAL;
> > -
> >
> > /* XXX: we need groups_search() exported for aux-groups */
> >
> > - if (gid_eq(cred->egid, pid_ns->pid_gid))
> > + if ((pid_ns->hide_pid < 1 || gid_eq(cred->egid, pid_ns->pid_gid)) &&
> > + security_kdbus_proc_permission(cred, target) == 0)
> >
> > return KDBUS_META_PROC_NORMAL;
>
> Not your fault, but I have to wonder why this function can't just return
> a bool like the policy functions; it has only two return values. Hardly
> worth an enum.
Agreed, I wondered about that too, however, in the interest of keep things
small and focused I'm going to stay away from changing it.
--
paul moore
security @ redhat
next prev parent reply other threads:[~2015-09-25 22:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-23 21:44 [RFC PATCH v1 0/3] Another take on the kdbus LSM hooks Paul Moore
2015-09-23 21:44 ` [RFC PATCH v1 1/3] lsm: introduce hooks for kdbus Paul Moore
2015-09-24 15:57 ` Stephen Smalley
2015-09-25 22:09 ` Paul Moore [this message]
2015-09-24 18:01 ` Stephen Smalley
2015-09-25 22:17 ` Paul Moore
2015-09-23 21:44 ` [RFC PATCH v1 2/3] selinux: introduce kdbus names into the policy Paul Moore
2015-09-23 21:44 ` [RFC PATCH v1 3/3] selinux: introduce kdbus access controls Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1943242.lSlvmFOviS@sifl \
--to=pmoore@redhat.com \
--cc=l.pawelczyk@samsung.com \
--cc=linux-security-module@vger.kernel.org \
--cc=p.osmialowsk@samsung.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.