On Tue, Aug 20, 2024 at 2:02 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
> On Mon, Aug 19, 2024 at 8:27 PM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
> > ---
> > diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> > index 7229c9bf6c27..c95bf89c9ce5 100644
> > --- a/security/selinux/include/classmap.h
> > +++ b/security/selinux/include/classmap.h
> > @@ -96,17 +96,17 @@ const struct security_class_mapping secclass_map[] = {
> > { "shm", { COMMON_IPC_PERMS, "lock", NULL } },
> > { "ipc", { COMMON_IPC_PERMS, NULL } },
> > { "netlink_route_socket",
> > - { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } },
> > + { COMMON_SOCK_PERMS, "nlmsg", "nlmsg_read", "nlmsg_write", NULL } },
>
> I would just add the "nlmsg" permission to the end of the list before
> the NULL for each class.
> Doesn't matter as much anymore since the dynamic class/perm mapping
> support was added but generally we avoid perturbing the
> class/permission bit assignments unless there is a good reason to do
> so. Feel free to wait to see if Paul agrees since your code will work
> as is.
I haven't had a chance to look at the rest of the patch yet, but I
agree with Stephen. Generally speaking we should strive to only add
new perms to the end of the list, I'd hate to hit some odd corner case
on someone's system simply because we thought we'd tempt fate and
something to the front of the list ;)
--
paul-moore.com
