From: Nicolas Iooss <nicolas.iooss-oWGTIYur0i8@public.gmane.org>
To: Paul Moore <pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
Subject: Re: [RFC PATCH v2 5/5] selinux: introduce kdbus access controls
Date: Tue, 6 Oct 2015 20:55:33 +0200 [thread overview]
Message-ID: <56141925.5050004@m4x.org> (raw)
In-Reply-To: <20151005204137.32023.7198.stgit@localhost>
On 10/05/2015 10:41 PM, Paul Moore wrote:
> Add the SELinux access control implementation for the new kdbus LSM
> hooks using the new kdbus object class and the following permissions:
>
[[SNIP]]
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index eccd61b..31e4435 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -153,5 +153,9 @@ struct security_class_mapping secclass_map[] = {
> { COMMON_SOCK_PERMS, "attach_queue", NULL } },
> { "binder", { "impersonate", "call", "set_context_mgr", "transfer",
> NULL } },
> + { "kdbus", { "impersonate", "fakecreds", "fakepids", "owner",
> + "privileged", "activator", "monitor", "policy_holder",
> + "connect", "own", "talk", "see", "see_name",
> + "see_notification" } },
> { NULL }
> };
Hello,
Out of curiosity, why is the new list of permissions not
NULL-terminated? As far as I can tell, as the field "perms" of struct
security_class_mapping is a fixed-size vector, it doesn't matter here
(the C compiler would always pad with NULL pointers), but then I am
wondering why all the other lists of perms are NULL-terminated in
classmap.h.
Thanks,
Nicolas
_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
WARNING: multiple messages have this Message-ID (diff)
From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: Paul Moore <pmoore@redhat.com>, linux-security-module@vger.kernel.org
Cc: linux-audit@redhat.com, selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH v2 5/5] selinux: introduce kdbus access controls
Date: Tue, 6 Oct 2015 20:55:33 +0200 [thread overview]
Message-ID: <56141925.5050004@m4x.org> (raw)
In-Reply-To: <20151005204137.32023.7198.stgit@localhost>
On 10/05/2015 10:41 PM, Paul Moore wrote:
> Add the SELinux access control implementation for the new kdbus LSM
> hooks using the new kdbus object class and the following permissions:
>
[[SNIP]]
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index eccd61b..31e4435 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -153,5 +153,9 @@ struct security_class_mapping secclass_map[] = {
> { COMMON_SOCK_PERMS, "attach_queue", NULL } },
> { "binder", { "impersonate", "call", "set_context_mgr", "transfer",
> NULL } },
> + { "kdbus", { "impersonate", "fakecreds", "fakepids", "owner",
> + "privileged", "activator", "monitor", "policy_holder",
> + "connect", "own", "talk", "see", "see_name",
> + "see_notification" } },
> { NULL }
> };
Hello,
Out of curiosity, why is the new list of permissions not
NULL-terminated? As far as I can tell, as the field "perms" of struct
security_class_mapping is a fixed-size vector, it doesn't matter here
(the C compiler would always pad with NULL pointers), but then I am
wondering why all the other lists of perms are NULL-terminated in
classmap.h.
Thanks,
Nicolas
next prev parent reply other threads:[~2015-10-06 18:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-05 20:41 [RFC PATCH v2 0/5] kdbus LSM/SELinux hooks Paul Moore
2015-10-05 20:41 ` [RFC PATCH v2 1/5] kdbus: add creator credentials to the endpoints Paul Moore
2015-10-05 20:41 ` [RFC PATCH v2 2/5] lsm: introduce hooks for kdbus Paul Moore
2015-10-05 20:41 ` [RFC PATCH v2 3/5] lsm: add support for auditing kdbus service names Paul Moore
2015-10-05 20:41 ` [RFC PATCH v2 4/5] selinux: introduce kdbus names into the policy Paul Moore
2015-10-05 20:41 ` [RFC PATCH v2 5/5] selinux: introduce kdbus access controls Paul Moore
2015-10-06 18:55 ` Nicolas Iooss [this message]
2015-10-06 18:55 ` Nicolas Iooss
2015-10-06 22:20 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56141925.5050004@m4x.org \
--to=nicolas.iooss-owgtiyur0i8@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.