lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Tue, 29 Aug 2006 17:02:13 -0400
From:	Eric Paris <eparis@...isplace.org>
To:	Benjamin LaHaise <bcrl@...ck.org>
Cc:	linux-kernel@...r.kernel.org, sds@...ho.nsa.gov,
	James Morris <jmorris@...hat.com>, akpm@...l.org
Subject: Re: [PATCH] SELinux: work around filesystems which call
	d_instantiate before setting inode mode

On Tue, 2006-08-29 at 16:13 -0400, Benjamin LaHaise wrote:
> On Tue, Aug 29, 2006 at 04:08:25PM -0400, Eric Paris wrote:
> > diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
> > index 960ef18..043d479 100644
> > --- a/security/selinux/include/avc.h
> > +++ b/security/selinux/include/avc.h
> > @@ -125,6 +125,8 @@ int avc_add_callback(int (*callback)(u32
> >  		     u32 events, u32 ssid, u32 tsid,
> >  		     u16 tclass, u32 perms);
> >  
> > +const char *avc_class_to_string(u16 tclass);
> > +
> >  /* Exported to selinuxfs */
> >  int avc_get_hash_stats(char *page);
> >  extern unsigned int avc_cache_threshold;
> > diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> > index a300702..88bba69 100644
> > --- a/security/selinux/avc.c
> > +++ b/security/selinux/avc.c
> > @@ -218,7 +218,7 @@ static void avc_dump_query(struct audit_
> >  		audit_log_format(ab, " tcontext=%s", scontext);
> >  		kfree(scontext);
> >  	}
> > -	audit_log_format(ab, " tclass=%s", class_to_string[tclass]);
> > +	audit_log_format(ab, " tclass=%s", avc_class_to_string(tclass));
> >  }
> >  
> >  /**
> > @@ -913,3 +913,15 @@ int avc_has_perm(u32 ssid, u32 tsid, u16
> >  	avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
> >  	return rc;
> >  }
> > +
> > +/**
> > + * avc_class_to_string - return a human readable string given an object class.
> > + * @tclass: the target class we wish to translate
> > + *
> > + * Simply take the target object class passed to us and return the human
> > + * readable string associated with that class
> > + */
> > +const char *avc_class_to_string(u16 tclass)
> > +{
> > +	return class_to_string[tclass];
> > +}
> 
> This portion of the patch has absolutely nothing to do with the core 
> changes, and should be separate.  It is also introducing bloat, as the 
> array index is very easy to calculate.
> 
> 		-ben

We need some method to get access to the class_to_string array (defined
inside avc.c) from hooks.c  In my core changes this is needed to be able
to translate the numeric tclass into a human readable string in the new
warning message in hooks.c  I agree this would be needless if the only
user of avc_class_to_string was avc_dump_query but the whole point of
adding this new accessor was the new inode_update_sclass user in
hooks.c.

Were you suggesting that rather than use an accessor function I instead
make the array extern and use it directly?  I don't forsee this array
syntax changing any time in the future but I'd still rather have some
logical interface that is most likely just going to get compiled out.
This way if things do change we don't have to hunt down all the direct
users of the array across different code.

-Eric

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ