From: Casey Schaufler <casey@schaufler-ca.com>
To: Greg KH <gregkh@linuxfoundation.org>,
Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, arve@android.com,
selinux@tycho.nsa.gov
Subject: Re: [PATCH] Add security hooks to binder and implement the hooks for SELinux.
Date: Thu, 22 Jan 2015 10:09:00 -0800 [thread overview]
Message-ID: <54C13CBC.3050004@schaufler-ca.com> (raw)
In-Reply-To: <20150122085150.GB1268@kroah.com>
On 1/22/2015 12:51 AM, Greg KH wrote:
> On Wed, Jan 21, 2015 at 10:54:10AM -0500, Stephen Smalley wrote:
>> Add security hooks to the binder and implement the hooks for SELinux.
>> The security hooks enable security modules such as SELinux to implement
>> controls over binder IPC. The security hooks include support for
>> controlling what process can become the binder context manager
>> (binder_set_context_mgr), controlling the ability of a process
>> to invoke a binder transaction/IPC to another process (binder_transaction),
>> controlling the ability of a process to transfer a binder reference to
>> another process (binder_transfer_binder), and controlling the ability
>> of a process to transfer an open file to another process (binder_transfer_file).
>>
>> These hooks have been included in the Android kernel trees since Android 4.3.
> Very interesting, I missed the fact that these were added in that tree,
> thanks for digging it out and submitting it.
>
> I'd like some acks from some Android developers before I take these.
> Or, if it's easier for them to go through the security tree, that's fine
> with me as well.
My only concern is that we're about to see a set of hooks proposed
for kdbus as well, and it would be a shame if we had two sets of hooks
that do roughly the same thing (ok, *very roughly*) introduced back to back.
>
> thanks,
>
> greg k-h
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: Greg KH <gregkh@linuxfoundation.org>,
Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-kernel@vger.kernel.org, arve@android.com, nnk@google.com,
paul@paul-moore.com, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org, jmorris@namei.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH] Add security hooks to binder and implement the hooks for SELinux.
Date: Thu, 22 Jan 2015 10:09:00 -0800 [thread overview]
Message-ID: <54C13CBC.3050004@schaufler-ca.com> (raw)
In-Reply-To: <20150122085150.GB1268@kroah.com>
On 1/22/2015 12:51 AM, Greg KH wrote:
> On Wed, Jan 21, 2015 at 10:54:10AM -0500, Stephen Smalley wrote:
>> Add security hooks to the binder and implement the hooks for SELinux.
>> The security hooks enable security modules such as SELinux to implement
>> controls over binder IPC. The security hooks include support for
>> controlling what process can become the binder context manager
>> (binder_set_context_mgr), controlling the ability of a process
>> to invoke a binder transaction/IPC to another process (binder_transaction),
>> controlling the ability of a process to transfer a binder reference to
>> another process (binder_transfer_binder), and controlling the ability
>> of a process to transfer an open file to another process (binder_transfer_file).
>>
>> These hooks have been included in the Android kernel trees since Android 4.3.
> Very interesting, I missed the fact that these were added in that tree,
> thanks for digging it out and submitting it.
>
> I'd like some acks from some Android developers before I take these.
> Or, if it's easier for them to go through the security tree, that's fine
> with me as well.
My only concern is that we're about to see a set of hooks proposed
for kdbus as well, and it would be a shame if we had two sets of hooks
that do roughly the same thing (ok, *very roughly*) introduced back to back.
>
> thanks,
>
> greg k-h
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2015-01-22 18:09 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-21 15:54 [PATCH] Add security hooks to binder and implement the hooks for SELinux Stephen Smalley
2015-01-21 15:54 ` Stephen Smalley
2015-01-22 8:51 ` Greg KH
2015-01-22 8:51 ` Greg KH
2015-01-22 17:33 ` Jeffrey Vander Stoep
2015-01-22 17:37 ` Jeffrey Vander Stoep
2015-01-22 17:37 ` Jeffrey Vander Stoep
2015-01-22 17:48 ` Nick Kralevich
2015-01-22 17:48 ` Nick Kralevich
2015-01-22 18:09 ` Casey Schaufler [this message]
2015-01-22 18:09 ` Casey Schaufler
2015-01-22 18:47 ` Stephen Smalley
2015-01-22 18:47 ` Stephen Smalley
2015-01-23 2:30 ` Greg KH
2015-01-23 2:30 ` Greg KH
2015-01-23 21:56 ` Casey Schaufler
2015-01-23 21:56 ` Casey Schaufler
2015-01-23 23:45 ` Greg KH
2015-01-23 23:45 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54C13CBC.3050004@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=arve@android.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.