From: Steve Beattie <sbeattie@suse.de>
To: Tony Jones <tonyj@suse.de>
Cc: serge@hallyn.com, serue@us.ibm.com,
lkml <linux-kernel@vger.kernel.org>,
Chris Wright <chrisw@osdl.org>,
Stephen Smalley <sds@epoch.ncsc.mil>,
James Morris <jmorris@redhat.com>, Andrew Morton <akpm@osdl.org>,
Michael Halcrow <mhalcrow@us.ibm.com>
Subject: Re: [patch 0/15] lsm stacking v0.3: intro
Date: Sat, 30 Jul 2005 20:22:26 -0700 [thread overview]
Message-ID: <20050731032226.GC25629@immunix.com> (raw)
In-Reply-To: <20050730201852.GA8223@immunix.com>
[-- Attachment #1: Type: text/plain, Size: 1456 bytes --]
On Sat, Jul 30, 2005 at 01:18:52PM -0700, Tony Jones wrote:
> Of more concern is ps -Z (pstools).
>
> We had to have the pstools maintainer extend the set of characters that it
> considered valid from the getprocattr. I forget the details but IIRC he
> wanted to know (for ?documentation?) every character that could be returned
> by our getprocattr hook (which for us is pretty much any character thats
> valid in a pathname -- though IIRC we forgot one).
>
> Anyway, I'm guessing (at least with pstools 3.2.5) that '(' is not one of
> the valid characters. IIRC ps gives up when it sees a "non-valid" character.
>
> I wrote a trivial little lsm which just returns 'foobar' for any getprocattr.
>
> # cat /proc/2322/attr/current
> unconstrained (subdomain)
> foobar (foobar)
>
> # ps -Z -p 2322
> LABEL PID TTY TIME CMD
> unconstrained 2322 ttyS0 00:00:00 bash
Actually, no, it is the space preceding the open paren that is invalid;
see this patch for the expanded allowed character set in procps 3.2.5:
http://cvs.sourceforge.net/viewcvs.py/procps/procps/ps/output.c?r1=1.51&r2=1.52
When I discussed this with Albert Cahalan, he *strongly* objected to
allowing whitespace in security contexts, as he felt it would break
scripts that parsed 'ps -Z' output.
--
Steve Beattie
SUSE Labs, Novell Inc.
<sbeattie@suse.de>
http://NxNW.org/~steve/
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2005-07-31 3:26 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-27 18:17 [patch 0/15] lsm stacking v0.3: intro serue
2005-07-27 18:19 ` [patch 1/15] lsm stacking v0.3: introduce securityfs serue
2005-07-27 18:20 ` [patch 2/15] lsm stacking v0.3: add module * to security_ops serue
2005-07-27 18:21 ` [patch 3/15] lsm stacking v0.3: don't default to dummy_##hook serue
2005-07-27 18:23 ` [patch 4/15] lsm stacking v0.3: swith ->security to hlist serue
2005-07-27 18:24 ` [patch 5/15] lsm stacking v0.3: introduce security_*_value API serue
2005-07-27 18:24 ` [patch 6/15] lsm stacking v0.3: stacker documentation serue
2005-07-27 18:24 ` [patch 7/15] lsm stacking v0.3: actual stacker module serue
2005-07-27 18:25 ` [patch 8/15] lsm stacking v0.3: stackable capabilities lsm serue
2005-07-27 18:26 ` [patch 9/15] lsm stacking v0.3: selinux: update ->security structs serue
2005-07-27 18:26 ` [patch 10/15] lsm stacking v0.3: selinux: use security_*_value API serue
2005-07-27 18:27 ` [patch 11/15] lsm stacking v0.3: selinux: remove secondary support serue
2005-07-27 18:27 ` [patch 12/15] lsm stacking v0.3: hook completeness verification script serue
2005-07-27 18:28 ` [patch 13/15] lsm stacking v0.3: seclvl: update for stacking serue
2005-07-27 18:28 ` [patch 14/15] lsm stacking v0.3: fix security_{del,unlink}_value race serue
2005-07-27 18:28 ` [patch 15/15] lsm stacking v0.3: stacking for digsig serue
2005-07-27 19:34 ` [patch 0/15] lsm stacking v0.3: intro James Morris
2005-07-27 19:37 ` James Morris
2005-08-03 16:45 ` [PATCH] Stacker - single-use static slots serue
2005-08-03 17:57 ` Chris Wright
2005-08-03 19:27 ` serue
2005-08-03 19:45 ` Chris Wright
2005-08-03 20:31 ` serge
2005-08-05 15:55 ` James Morris
2005-08-05 17:27 ` serue
2005-08-05 17:34 ` serue
2005-08-10 14:45 ` serue
2005-08-11 7:42 ` James Morris
2005-08-11 21:22 ` serue
2005-08-11 23:02 ` James Morris
2005-07-27 19:54 ` [patch 0/15] lsm stacking v0.3: intro serue
2005-07-30 5:07 ` Tony Jones
2005-07-30 19:02 ` serge
2005-07-30 20:18 ` Tony Jones
2005-07-31 3:22 ` Steve Beattie [this message]
2005-07-31 3:44 ` serge
2005-07-31 4:13 ` Tony Jones
2005-07-31 13:37 ` serge
2005-07-31 3:53 ` serge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050731032226.GC25629@immunix.com \
--to=sbeattie@suse.de \
--cc=akpm@osdl.org \
--cc=chrisw@osdl.org \
--cc=jmorris@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhalcrow@us.ibm.com \
--cc=sds@epoch.ncsc.mil \
--cc=serge@hallyn.com \
--cc=serue@us.ibm.com \
--cc=tonyj@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox