On Fri, Feb 14, 2020 at 2:22 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On 2/14/20 7:46 AM, Ondrej Mosnacek wrote:
> > On Wed, Jan 29, 2020 at 5:42 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> >> Fully decoupling the policy and kernel initial SID values will
> >> require introducing a mapping between them and dyhamically
> >
> > Nit: s/dyhamically/dynamically/
>
> Ah, thanks; will fix if I need to re-spin.
>
> >> - if (c->sid[0] == SECSID_NULL || c->sid[0] > SECINITSID_NUM) {
> >> - pr_err("SELinux: Initial SID %s out of range.\n",
> >> - c->u.name);
> >> + u32 sid = c->sid[0];
> >> + const char *name = security_get_initial_sid_context(sid);
> >> +
> >> + if (sid == SECSID_NULL) {
> >> + pr_err("SELinux: SID null was assigned a context.\n");
> >> sidtab_destroy(s);
> >> goto out;
> >> }
> >
> > Your sentence "Stop treating it as an error if a policy defines
> > additional initial SIDs unknown to the kernel." and the removed check
> > for > SECINITSID_NUM suggest that you intend to not treat this
> > condition as an error, but sidtab_set_initial() called bellow will
> > reject such SID with -ENIVAL. Or am I misreading it and you just
> > wanted to remove the duplicate check?
>
> The comment and if statement below will cause it to ignore any initial
> SIDs unused by the kernel, whether they are ones <= SECINITSID_NUM whose
> names have been dropped and replaced by NULL or ones > SECINITSID_NUM.
> security_get_initial_sid_context() returns NULL for anything >
> SECINITSID_NUM.
Ah yes, it hits the "if (!name) continue;" check, of course... Never mind then.
>
> >
> >> +
> >> + /* Ignore initial SIDs unused by this kernel. */
> >> + if (!name)
> >> + continue;
> >> +
>
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
