| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1492014798.3881.16.camel@tycho.nsa.gov>
Date: Wed, 12 Apr 2017 12:33:18 -0400
From: Stephen Smalley <sds@...ho.nsa.gov>
To: Sebastien Buisson <sbuisson.ddn@...il.com>
Cc: Paul Moore <pmoore@...hat.com>,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov,
william.c.roberts@...el.com, serge@...lyn.com,
james.l.morris@...cle.com, Eric Paris <eparis@...isplace.org>,
Paul Moore <paul@...l-moore.com>,
Sebastien Buisson <sbuisson@....com>
Subject: Re: [PATCH] selinux: add selinux_is_enforced() function
On Wed, 2017-04-12 at 17:19 +0200, Sebastien Buisson wrote:
> 2017-04-12 15:58 GMT+02:00 Stephen Smalley <sds@...ho.nsa.gov>:
> > Even your usage of selinux_is_enabled() looks suspect; that should
> > probably go away. Only other user of it seems to be some cred
> > validity
> > checking that could be dropped as well.
>
> Well the main reason for calling selinux_is_enabled() is performance
> optimization.
> Should I propose a patch to add a new security_is_enabled() function
> at the LSM abstraction layer? Or do you consider we should not test
> security enabled at all?
It isn't clear what "is enabled" means in general, particularly with
stacking. I would either drop it or replace it with a LSM hook that is
more precise. For example, NFSv4 introduced a security_ismaclabel()
hook so that it could test whether a given security.* xattr is a MAC
label.
Powered by blists - more mailing lists