Re: [RFC PATCH 0/4] Split security_task_getsecid() into subj and obj variants

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/20/2021 6:41 AM, Paul Moore wrote:
> On Fri, Feb 19, 2021 at 8:49 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>> On 2/19/2021 3:28 PM, Paul Moore wrote:
>>> As discussed briefly on the list (lore link below), we are a little
>>> sloppy when it comes to using task credentials, mixing both the
>>> subjective and object credentials.  This patch set attempts to fix
>>> this by replacing security_task_getsecid() with two new hooks that
>>> return either the subjective (_subj) or objective (_obj) credentials.
>>>
>>> https://lore.kernel.org/linux-security-module/806848326.0ifERbkFSE@x2/T/
>>>
>>> Casey and John, I made a quick pass through the Smack and AppArmor
>>> code in an effort to try and do the right thing, but I will admit
>>> that I haven't tested those changes, just the SELinux code.  I
>>> would really appreciate your help in reviewing those changes.  If
>>> you find it easier, feel free to wholesale replace my Smack/AppArmor
>>> patch with one of your own.
>> A quick test pass didn't show up anything obviously
>> amiss with the Smack changes. I have will do some more
>> through inspection, but they look fine so far.
> Thanks for testing it out and giving it a look.  Beyond the Smack
> specific changes, I'm also interested in making sure all the hook
> callers are correct; I believe I made the correct substitutions, but a
> second (or third (or fourth ...)) set of eyes is never a bad idea.

I'm still not seeing anything that looks wrong. I'd suggest that Mimi
have a look at the IMA bits.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux