* xfrm: Can "struct netlbl_audit" be killed?
@ 2014-04-24 11:51 Tetsuo Handa
2014-04-24 13:18 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Tetsuo Handa @ 2014-04-24 11:51 UTC (permalink / raw)
To: paul, casey; +Cc: netdev, linux-security-module
Hello, Casey and Paul.
At the ipsec-next tree,
/* Audit Information */
struct xfrm_audit {
u32 secid;
kuid_t loginuid;
unsigned int sessionid;
};
has just been killed
( https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec-next.git/commit/?id=f1370cc4a01e61007ab3020c761cef6b88ae3729 and
https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec-next.git/commit/?id=2e71029e2c32ecd59a2e8f351517bfbbad42ac11 )
because these arguments are always calculated from current thread's security
context.
Looking at other security_secid_to_secctx() users, I noticed that
a similar struct in the netlabel code.
/* NetLabel audit information */
struct netlbl_audit {
u32 secid;
kuid_t loginuid;
unsigned int sessionid;
};
Do you know whether we can kill "struct netlbl_audit" as well?
(In other words, is "bool" sufficient for representing "struct netlbl_audit" ?)
Regards.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: xfrm: Can "struct netlbl_audit" be killed?
2014-04-24 11:51 xfrm: Can "struct netlbl_audit" be killed? Tetsuo Handa
@ 2014-04-24 13:18 ` Paul Moore
2014-04-24 14:29 ` Tetsuo Handa
0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2014-04-24 13:18 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: casey, netdev, linux-security-module
On Thursday, April 24, 2014 08:51:35 PM Tetsuo Handa wrote:
> Hello, Casey and Paul.
>
> At the ipsec-next tree,
>
> /* Audit Information */
> struct xfrm_audit {
> u32 secid;
> kuid_t loginuid;
> unsigned int sessionid;
> };
>
> has just been killed
> (
> https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec-next.git/commit
> /?id=f1370cc4a01e61007ab3020c761cef6b88ae3729 and
> https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec-next.git/commit
> /?id=2e71029e2c32ecd59a2e8f351517bfbbad42ac11 ) because these arguments are
> always calculated from current thread's security context.
Before we go to far, is it always true for AF_KEY that "current" is set to the
sending process? If the answer is no, I think we have a problem.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: xfrm: Can "struct netlbl_audit" be killed?
2014-04-24 13:18 ` Paul Moore
@ 2014-04-24 14:29 ` Tetsuo Handa
2014-04-24 14:40 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Tetsuo Handa @ 2014-04-24 14:29 UTC (permalink / raw)
To: paul; +Cc: casey, netdev, linux-security-module
Paul Moore wrote:
> On Thursday, April 24, 2014 08:51:35 PM Tetsuo Handa wrote:
> > Hello, Casey and Paul.
> >
> > At the ipsec-next tree,
> >
> > /* Audit Information */
> > struct xfrm_audit {
> > u32 secid;
> > kuid_t loginuid;
> > unsigned int sessionid;
> > };
> >
> > has just been killed
> > (
> > https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec-next.git/commit
> > /?id=f1370cc4a01e61007ab3020c761cef6b88ae3729 and
> > https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec-next.git/commit
> > /?id=2e71029e2c32ecd59a2e8f351517bfbbad42ac11 ) because these arguments are
> > always calculated from current thread's security context.
>
> Before we go to far, is it always true for AF_KEY that "current" is set to the
> sending process? If the answer is no, I think we have a problem.
Speak of "struct xfrm_audit", I think the answer is yes, or commit ab5f5e8b
"[XFRM]: xfrm audit calls" is wrong.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: xfrm: Can "struct netlbl_audit" be killed?
2014-04-24 14:29 ` Tetsuo Handa
@ 2014-04-24 14:40 ` Paul Moore
0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2014-04-24 14:40 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: casey, netdev, linux-security-module
On Thursday, April 24, 2014 11:29:08 PM Tetsuo Handa wrote:
> Paul Moore wrote:
> > On Thursday, April 24, 2014 08:51:35 PM Tetsuo Handa wrote:
> > > Hello, Casey and Paul.
> > >
> > > At the ipsec-next tree,
> > >
> > > /* Audit Information */
> > > struct xfrm_audit {
> > >
> > > u32 secid;
> > > kuid_t loginuid;
> > > unsigned int sessionid;
> > >
> > > };
> > >
> > > has just been killed
> > > (
> > > https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec-next.git/com
> > > mit
> > > /?id=f1370cc4a01e61007ab3020c761cef6b88ae3729 and
> > > https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec-next.git/com
> > > mit
> > > /?id=2e71029e2c32ecd59a2e8f351517bfbbad42ac11 ) because these arguments
> > > are
> > > always calculated from current thread's security context.
> >
> > Before we go to far, is it always true for AF_KEY that "current" is set to
> > the sending process? If the answer is no, I think we have a problem.
>
> Speak of "struct xfrm_audit", I think the answer is yes, or commit ab5f5e8b
> "[XFRM]: xfrm audit calls" is wrong.
I'm not assuming that ab5f5e8b is correct. It would be nice to know for sure
that current is always equal to the sending process for AF_KEY, and that isn't
something I'm certain is true off the top of my head.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-04-24 14:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-24 11:51 xfrm: Can "struct netlbl_audit" be killed? Tetsuo Handa
2014-04-24 13:18 ` Paul Moore
2014-04-24 14:29 ` Tetsuo Handa
2014-04-24 14:40 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).