Re: [PATCH 2/2] pidfd: add pidfdfs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Fri, Feb 23, 2024 at 01:58:36PM -0800, Linus Torvalds wrote:
> On Fri, 23 Feb 2024 at 13:26, Christian Brauner <brauner@xxxxxxxxxx> wrote:
> >
> > So, the immediate fix separate from the selinux policy update is to fix
> > dbus-broker which we've done now:
> >
> >
> Why is that code then continuing the idiocy of doing different things
> for different error conditions?

Not under my control unfortunately.

> Also, honestly, if this breaks existing setups, then we should fix the
> kernel anyway. Changing things from the old anonymous inodes to the
> new pidfs inodes should *not* have caused any LSM denial issues.
> You used the same pointer to dbus-broker for the LSM changes, but I
> really don't think this should have required LSM changes in the first
> place. Your reaction to "my kernel change caused LSM to barf" should
> have made you go "let's fix the kernel so that LSM _doesn't_ barf".
> Maybe by making pidfs look exactly like anonfs to LSM. Since I don't
> see the LSM change, I'm not actually sure exactly what LSM even
> reacted to in that switch-over.

This is selinux. So I think this is a misunderstanding. This isn't
something we can fix in the kernel. If Selinux is in enforcing mode in
userspace and it encounters anything that it doesn't know about it will
deny it by default. And the policy is entirely in userspace including
declaring new types for stuff like nsfs or pidfs to allow it. There's
just nothing to do in the kernel.

The Selinux policy update in userspace would always have to happen just
like it had to for nsfs. Usually that happens after a change has landed
and people realize breakage or realize that new functionality isn't
available. This time it's just interacting with bad error handling in

[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux