Re: [PATCH 0/4] Fix the NetLabel LSM category mappings

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: Paul Moore <pmoore@redhat.com>,
	netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
	selinux@tycho.nsa.gov
Subject: Re: [PATCH 0/4] Fix the NetLabel LSM category mappings
Date: Thu, 31 Jul 2014 15:47:29 -0700	[thread overview]
Message-ID: <53DAC781.3010502@schaufler-ca.com> (raw)
In-Reply-To: <20140731212856.4991.49396.stgit@localhost>

On 7/31/2014 2:44 PM, Paul Moore wrote:
> As you will see in the patch descriptions below, the NetLabel LSM
> category mappings are very badly broken.  This patchset should repair
> things and make life better in the future.  The first three patches
> are straight-up bug fixes; the fourth patch doesn't actually fix any
> faulty logic in the code, but rather shortens some stupidly long
> function and structure names relating to the NetLabel category
> mappings.  I should probably do something similar with a lot of other
> NetLabel APIs, but that is for another time.
>
> Thanks to Christian Evans for pointing out one of the original
> problems.  I don't think he realized how many problems there really
> were, but I still owe him one for getting me to revisit this ugly,
> nasty code.  I apologize it took so long to get a fix out and that
> things were broken this badly in the first place.
>
> Casey, I'm CC'ing you here because this patchset does touch some of
> the Smack code, but as you can see the changes are trivial.  I will
> be very surprised if you find anything objectionable in there.
> However, if you do, let me know and I'll fix it.

The code passes my tests. I'll mark the patches "Tested-by:".

> DaveM/netdev folks, you guys are included here for the obvious reason
> that a good chunk of the code changes live in net/*.  However, the
> net/* related changes are all within the NetLabel code and not in the
> core networking stack so I doubt this is something you'll care too
> much about.  I'm going to guess that as far as you're concerned, this
> is just another bugfix to a subsystem you don't really care about.
>
> DaveM, unless you have any objections, I'm planning on pushing this
> via the SELinux tree up through James' LSM tree since that seems to
> make the most sense to me.  If you would rather push it via the netdev
> tree please let me know.
>
> -Paul
>
> ---
>
> Paul Moore (4):
>       netlabel: fix a problem when setting bits below the previously lowest bit
>       netlabel: fix the horribly broken catmap functions
>       netlabel: fix the catmap walking functions
>       netlabel: shorter names for the NetLabel catmap funcs/structs
>
>
>  include/net/netlabel.h        |   94 +++++++-----
>  net/ipv4/cipso_ipv4.c         |   47 ++----
>  net/netlabel/netlabel_kapi.c  |  327 ++++++++++++++++++++++++++++-------------
>  security/selinux/ss/ebitmap.c |  133 +++++++----------
>  security/selinux/ss/ebitmap.h |    8 +
>  security/smack/smack_access.c |   11 +
>  security/smack/smack_lsm.c    |    6 -
>  security/smack/smackfs.c      |   14 +-
>  8 files changed, 366 insertions(+), 274 deletions(-)
>

WARNING: multiple messages have this Message-ID (diff)

From: Casey Schaufler <casey@schaufler-ca.com>
To: Paul Moore <pmoore@redhat.com>,
	netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
	selinux@tycho.nsa.gov
Cc: Christian Evans <frodox@zoho.com>,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 0/4] Fix the NetLabel LSM category mappings
Date: Thu, 31 Jul 2014 15:47:29 -0700	[thread overview]
Message-ID: <53DAC781.3010502@schaufler-ca.com> (raw)
In-Reply-To: <20140731212856.4991.49396.stgit@localhost>

On 7/31/2014 2:44 PM, Paul Moore wrote:
> As you will see in the patch descriptions below, the NetLabel LSM
> category mappings are very badly broken.  This patchset should repair
> things and make life better in the future.  The first three patches
> are straight-up bug fixes; the fourth patch doesn't actually fix any
> faulty logic in the code, but rather shortens some stupidly long
> function and structure names relating to the NetLabel category
> mappings.  I should probably do something similar with a lot of other
> NetLabel APIs, but that is for another time.
>
> Thanks to Christian Evans for pointing out one of the original
> problems.  I don't think he realized how many problems there really
> were, but I still owe him one for getting me to revisit this ugly,
> nasty code.  I apologize it took so long to get a fix out and that
> things were broken this badly in the first place.
>
> Casey, I'm CC'ing you here because this patchset does touch some of
> the Smack code, but as you can see the changes are trivial.  I will
> be very surprised if you find anything objectionable in there.
> However, if you do, let me know and I'll fix it.

The code passes my tests. I'll mark the patches "Tested-by:".

> DaveM/netdev folks, you guys are included here for the obvious reason
> that a good chunk of the code changes live in net/*.  However, the
> net/* related changes are all within the NetLabel code and not in the
> core networking stack so I doubt this is something you'll care too
> much about.  I'm going to guess that as far as you're concerned, this
> is just another bugfix to a subsystem you don't really care about.
>
> DaveM, unless you have any objections, I'm planning on pushing this
> via the SELinux tree up through James' LSM tree since that seems to
> make the most sense to me.  If you would rather push it via the netdev
> tree please let me know.
>
> -Paul
>
> ---
>
> Paul Moore (4):
>       netlabel: fix a problem when setting bits below the previously lowest bit
>       netlabel: fix the horribly broken catmap functions
>       netlabel: fix the catmap walking functions
>       netlabel: shorter names for the NetLabel catmap funcs/structs
>
>
>  include/net/netlabel.h        |   94 +++++++-----
>  net/ipv4/cipso_ipv4.c         |   47 ++----
>  net/netlabel/netlabel_kapi.c  |  327 ++++++++++++++++++++++++++++-------------
>  security/selinux/ss/ebitmap.c |  133 +++++++----------
>  security/selinux/ss/ebitmap.h |    8 +
>  security/smack/smack_access.c |   11 +
>  security/smack/smack_lsm.c    |    6 -
>  security/smack/smackfs.c      |   14 +-
>  8 files changed, 366 insertions(+), 274 deletions(-)
>

next prev parent reply	other threads:[~2014-07-31 22:47 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-07-31 21:44 [PATCH 0/4] Fix the NetLabel LSM category mappings Paul Moore
2014-07-31 21:44 ` Paul Moore
2014-07-31 21:44 ` [PATCH 1/4] netlabel: fix a problem when setting bits below the previously lowest bit Paul Moore
2014-07-31 21:44   ` Paul Moore
2014-07-31 22:48   ` Casey Schaufler
2014-07-31 22:48     ` Casey Schaufler
2014-07-31 21:44 ` [PATCH 2/4] netlabel: fix the horribly broken catmap functions Paul Moore
2014-07-31 21:44   ` Paul Moore
2014-07-31 22:49   ` Casey Schaufler
2014-07-31 22:49     ` Casey Schaufler
2014-07-31 21:44 ` [PATCH 3/4] netlabel: fix the catmap walking functions Paul Moore
2014-07-31 21:44   ` Paul Moore
2014-07-31 22:49   ` Casey Schaufler
2014-07-31 22:49     ` Casey Schaufler
2014-07-31 21:44 ` [PATCH 4/4] netlabel: shorter names for the NetLabel catmap funcs/structs Paul Moore
2014-07-31 21:44   ` Paul Moore
2014-07-31 22:50   ` Casey Schaufler
2014-07-31 22:50     ` Casey Schaufler
2014-07-31 22:47 ` Casey Schaufler [this message]
2014-07-31 22:47   ` [PATCH 0/4] Fix the NetLabel LSM category mappings Casey Schaufler
2014-08-01 15:43   ` Paul Moore
2014-08-01 15:43     ` Paul Moore
2014-08-01  5:36 ` David Miller
2014-08-01  5:36   ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53DAC781.3010502@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pmoore@redhat.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.