On Thu, May 21, 2015 at 8:33 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On 05/20/2015 05:22 PM, Paul Moore wrote:
>>> @@ -429,11 +456,15 @@ int avtab_read_item(struct avtab *a, void *fp, struct
>>> policydb *pol, printk(KERN_ERR "SELinux: avtab: entry has both access
>>> vectors and types\n"); return -EINVAL;
>>> }
>>> + if (val & AVTAB_OP) {
>>> + printk(KERN_ERR "SELinux: avtab: entry has operations\n");
>>> + return -EINVAL;
>>> + }
>>
>> Another "operations" vs. "extop" or similar. If we generalize, it would also
>> be nice to know what kind of extended operations, e.g. ioctl commands.
>>
>> Further, beyond the extension type (ioctl), I think it would be nice to
>> include a size value in the binary policy. With the current ioctl code it
>> would be 8/256, but we might want to make this variable in the future and it
>> would be nice not to have to bump the policy format again.
>
> Not sure we can avoid changing the format version again regardless.
> Note that we didn't even strictly need to increment the version this
> time, as the new structure is only included in the binary policy if one
> of the newly defined AVTAB_OP flag bits is set for the entry, but it was
> still useful to define a new version so that userspace can tell whether
> the kernel supports the extension and decide how to handle it if the
> policy defined these operations but the kernel doesn't support enforcing
> them. The same would be true of any future extension that used this
> facility.
You are probably right, but I think it might be a good idea just the same.
--
paul moore
www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
