On Thu, Nov 30, 2023 at 3:45 AM Munehisa Kamata <kamatam@xxxxxxxxxx> wrote:
>
> Since commit d9250dea3f89 ("SELinux: add boundary support and thread
> context assignment"), SELinux has been supporting assigning per-thread
> security context under a constraint and the comment was updated
> accordingly. However, seems like commit d84f4f992cbd ("CRED: Inaugurate
> COW credentials") accidentally brought the old comment back that doesn't
> match what the code does.
>
> This just brings the updated comment back and does nothing else.
>
> Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
> Signed-off-by: Munehisa Kamata <kamatam@xxxxxxxxxx>
> ---
> security/selinux/hooks.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 855589b64641..d147f8ac9d9d 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6459,7 +6459,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
> if (sid == 0)
> goto abort_change;
>
> - /* Only allow single threaded processes to change context */
> + /*
> + * SELinux allows to change context in the following case only.
> + * - Single threaded processes.
> + * - Multi threaded processes intend to change its context into
> + * more restricted domain (defined by TYPEBOUNDS statement).
> + */
Hi Munehisa, good catch :)
Considering the ease of understanding the code below (the naming makes
it pretty obvious what the functions do), I think I'd rather see the
wrong comment simply removed with nothing added back to replace it.
Does that sound good to you, and if so would you mind sending an
updated patch?
> if (!current_is_single_threaded()) {
> error = security_bounded_transition(tsec->sid, sid);
> if (error)
> --
> 2.40.1
--
paul-moore.com
