From: Paul Moore <pmoore@redhat.com>
To: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: linux-security-module@vger.kernel.org, linux-audit@redhat.com,
selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH v2 5/5] selinux: introduce kdbus access controls
Date: Tue, 06 Oct 2015 18:20:51 -0400 [thread overview]
Message-ID: <21245029.iIIe2WA6vd@sifl> (raw)
In-Reply-To: <56141925.5050004@m4x.org>
On Tuesday, October 06, 2015 08:55:33 PM Nicolas Iooss wrote:
> On 10/05/2015 10:41 PM, Paul Moore wrote:
> > Add the SELinux access control implementation for the new kdbus LSM
>
> > hooks using the new kdbus object class and the following permissions:
> [[SNIP]]
>
> > diff --git a/security/selinux/include/classmap.h
> > b/security/selinux/include/classmap.h index eccd61b..31e4435 100644
> > --- a/security/selinux/include/classmap.h
> > +++ b/security/selinux/include/classmap.h
> > @@ -153,5 +153,9 @@ struct security_class_mapping secclass_map[] = {
> >
> > { COMMON_SOCK_PERMS, "attach_queue", NULL } },
> >
> > { "binder", { "impersonate", "call", "set_context_mgr", "transfer",
> >
> > NULL } },
> >
> > + { "kdbus", { "impersonate", "fakecreds", "fakepids", "owner",
> > + "privileged", "activator", "monitor", "policy_holder",
> > + "connect", "own", "talk", "see", "see_name",
> > + "see_notification" } },
> >
> > { NULL }
> >
> > };
>
> Hello,
> Out of curiosity, why is the new list of permissions not
> NULL-terminated?
Honest answer: I forgot :)
These patches are still "RFC quality" which means I'm emphasizing getting the
patches posted quickly (hardy har har) and not putting the code through as
much testing and scrutiny as I usually do. The idea right now is to get
feedback about the hooks and the individual LSM implementations.
Regardless, thanks for catching the missing terminator, the fix will be in the
next draft of the patches.
--
paul moore
security @ redhat
prev parent reply other threads:[~2015-10-06 22:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-05 20:41 [RFC PATCH v2 0/5] kdbus LSM/SELinux hooks Paul Moore
2015-10-05 20:41 ` [RFC PATCH v2 1/5] kdbus: add creator credentials to the endpoints Paul Moore
2015-10-05 20:41 ` [RFC PATCH v2 2/5] lsm: introduce hooks for kdbus Paul Moore
2015-10-05 20:41 ` [RFC PATCH v2 3/5] lsm: add support for auditing kdbus service names Paul Moore
2015-10-05 20:41 ` [RFC PATCH v2 4/5] selinux: introduce kdbus names into the policy Paul Moore
2015-10-05 20:41 ` [RFC PATCH v2 5/5] selinux: introduce kdbus access controls Paul Moore
2015-10-06 18:55 ` Nicolas Iooss
2015-10-06 22:20 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=21245029.iIIe2WA6vd@sifl \
--to=pmoore@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=nicolas.iooss@m4x.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox