On 1/7/2020 11:25 AM, Stephen Smalley wrote: > On 12/24/19 6:59 PM, Casey Schaufler wrote: >> Netlabel uses LSM interfaces requiring an lsmblob and >> the internal storage is used to pass information between >> these interfaces, so change the internal data from a secid >> to a lsmblob. Update the netlabel interfaces and their >> callers to accommodate the change. This requires that the >> modules using netlabel use the lsm_id.slot to access the >> correct secid when using netlabel. >> >> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> >> Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx> >> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > > Why is this needed for stacking AppArmor? AA doesn't use NetLabel, at least not upstream AFAICS. Netlabel uses LSM interfaces that provide/require blobs, security_secid_to_secctx() and security_secctx_to_secid() in particular. Either the data maintained needs to be converted to blobs or it needs extensive scaffolding. The scaffolding would require a mechanism to identify the lsmblob slot to be used in netlabel. You can't always use slot 0 because it would be possible to put AppArmor on the module list ahead of SELinux or Smack. That would be the only case where the slot number is needed outside the security sub-system. Since converting the netlabel data to blobs will be necessary eventually anyway, I want to avoid having to provide a mechanism whereby netlabel can identify which slot to use. This is especially true since Paul has nixed the idea of assigning netlabel to a particular security module.
