Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > 1) Are we guaranteed that the caller only ever passes a single > KEY_NEED_* perm at a time (i.e. hook is never called with a bitmask > of multiple permissions)? Where is that guarantee enforced? Currently it's the case that only one perm is ever used at once. I'm tempted to enforce this by switching the KEY_NEED_* to an enum rather than a bitmask. I'm not sure how I would actually define the meaning of two perms being OR'd together. Either okay? Both required? > 2) We had talked about adding a BUILD_BUG_ON() or other build-time > guard That doesn't help you trap unallowed perm combinations, though. > to ensure that new KEY_NEED_* permissions > are not added without updating SELinux. We already have similar > constructs for catching new capabilities (#if CAP_LAST_CAP > 63 #error > ...), socket address families (#if PF_MAX > 45 #error ...), RTM_* and > XFRM_MSG* values. David
