lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 9 Oct 2019 15:41:56 -0700
From:   Casey Schaufler <casey@...aufler-ca.com>
To:     James Morris <jmorris@...ei.org>
Cc:     "Joel Fernandes (Google)" <joel@...lfernandes.org>,
        linux-kernel@...r.kernel.org,
        Peter Zijlstra <peterz@...radead.org>, rostedt@...dmis.org,
        primiano@...gle.com, rsavitski@...gle.com, jeffv@...gle.com,
        kernel-team@...roid.com, Alexei Starovoitov <ast@...nel.org>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        bpf@...r.kernel.org, Daniel Borkmann <daniel@...earbox.net>,
        Ingo Molnar <mingo@...hat.com>, Jiri Olsa <jolsa@...hat.com>,
        Kees Cook <keescook@...omium.org>,
        linux-security-module@...r.kernel.org,
        Matthew Garrett <matthewgarrett@...gle.com>,
        Namhyung Kim <namhyung@...nel.org>, selinux@...r.kernel.org,
        Song Liu <songliubraving@...com>,
        "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>,
        Yonghong Song <yhs@...com>, casey@...aufler-ca.com
Subject: Re: [PATCH RFC] perf_event: Add support for LSM and SELinux checks

On 10/9/2019 3:14 PM, James Morris wrote:
> On Wed, 9 Oct 2019, Casey Schaufler wrote:
>
>> Please consider making the perf_alloc security blob maintained
>> by the infrastructure rather than the individual modules. This
>> will save it having to be changed later.
> Is anyone planning on using this with full stacking?
>
> If not, we don't need the extra code & complexity. Stacking should only 
> cover what's concretely required by in-tree users.

I don't believe it's any simpler for SELinux to do the allocation
than for the infrastructure to do it. I don't see anyone's head
exploding over the existing infrastructure allocation of blobs.
We're likely to want it at some point, so why not avoid the hassle
and delay by doing it the "new" way up front?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ