Go ahead and just remove them. I normally do, but forgot. They're just tracking tags for android.
On Fri, Jun 12, 2015 at 1:46 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
Also applied to the SELinux next-queue, thank you.On Fri, Jun 12, 2015 at 12:02 PM, Jeff Vander Stoep <jeffv@xxxxxxxxxx> wrote:
> Add extended permissions logic to selinux. Extended permissions
> provides additional permissions in 256 bit increments. Extend the
> generic ioctl permission check to use the extended permissions for
> per-command filtering. Source/target/class sets including the ioctl
> permission may additionally include a set of commands. Example:
>
> allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds
> auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds
>
> Where unpriv_app_socket_cmds and priv_gpu_cmds are macros
> representing commonly granted sets of ioctl commands.
>
> When ioctl commands are omitted only the permissions are checked.
> This feature is intended to provide finer granularity for the ioctl
> permission that may be too imprecise. For example, the same driver
> may use ioctls to provide important and benign functionality such as
> driver version or socket type as well as dangerous capabilities such
> as debugging features, read/write/execute to physical memory or
> access to sensitive data. Per-command filtering provides a mechanism
> to reduce the attack surface of the kernel, and limit applications
> to the subset of commands required.
>
> The format of the policy binary has been modified to include ioctl
> commands, and the policy version number has been incremented to
> POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format
> change.
>
> The extended permissions logic is deliberately generic to allow
> components to be reused e.g. netlink filters
>
> Bug: 19416735
> Change-Id: Ibd462f12ba5748cf5dd91f28e5795764363121a2
> Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
> ---
> v6 adds ommitted function comment header entries for avc_update_node
>
> security/selinux/avc.c | 415 ++++++++++++++++++++++++++++++++++--
> security/selinux/hooks.c | 42 +++-
> security/selinux/include/avc.h | 6 +
> security/selinux/include/security.h | 32 ++-
> security/selinux/ss/avtab.c | 104 +++++++--
> security/selinux/ss/avtab.h | 33 ++-
> security/selinux/ss/conditional.c | 32 ++-
> security/selinux/ss/conditional.h | 6 +-
> security/selinux/ss/policydb.c | 5 +
> security/selinux/ss/services.c | 213 ++++++++++++++++--
> security/selinux/ss/services.h | 6 +
> 11 files changed, 834 insertions(+), 60 deletions(-)
However, can you explain the "Bug" and "Change-Id" headers in your
patch description above? They are horribly generic and I'd like to
remove them from the sign-off or at least provide a more descriptive
name in order to limit the confusion. For example, could we provide a
URL instead of a bug ID#? Could it be an Android-Change-Id (or
similar)?
--
paul moore
www.paul-moore.com
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
