On Thu, Feb 13, 2020 at 9:12 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 1/29/20 11:42 AM, Stephen Smalley wrote: > > Remove initial SIDs that have never been used or are no longer > > used by the kernel from its string table, which is also used > > to generate the SECINITSID_* symbols referenced in code. > > Update the code to gracefully handle the fact that these can > > now be NULL. Stop treating it as an error if a policy defines > > additional initial SIDs unknown to the kernel. Do not > > load unused initial SID contexts into the sidtab. > > Fix the incorrect usage of the name from the ocontext in error > > messages when loading initial SIDs since these are not presently > > written to the kernel policy and are therefore always NULL. > > > > This is a first step toward enabling future evolution of > > initial SIDs. Further changes are required to both userspace > > and the kernel to fully address > > https://github.com/SELinuxProject/selinux-kernel/issues/12 > > but this takes a small step toward that end. > > > > Fully decoupling the policy and kernel initial SID values will > > require introducing a mapping between them and dyhamically > > mapping them at load time. > > > > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > > Any objections, acks/reviews, or other questions/comments on this patch? > The GitHub issue has a more detailed discussion of how we can safely > reuse and eventually increase the number of initial SIDs in the future. First let me climb up on my current favorite soapbox ... This is a perfect example of an email where you could have trimmed the bulk of it in your reply to the original patch posting. ;) Yes, I've been somewhat avoiding this patch simply because I'm not yet sure what I think of all this yet, and since it affects the kernel-userspace API it needs some careful thought. In other words, yes, I see this patch and the associated GH issue, but no I don't have any real comments yet. Sorry. -- paul moore www.paul-moore.com
