[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAHC9VhS2j4cAqdPtUHzHcc_ShLAP7cndVurcpcLj9G1cAxSMMQ@mail.gmail.com>
Date: Wed, 27 Jan 2021 22:33:41 -0500
From: Paul Moore <paul@...l-moore.com>
To: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
Cc: zohar@...ux.ibm.com,
Stephen Smalley <stephen.smalley.work@...il.com>,
tusharsu@...ux.microsoft.com, tyhicks@...ux.microsoft.com,
casey@...aufler-ca.com, agk@...hat.com, snitzer@...hat.com,
gmazyland@...il.com, sashal@...nel.org,
James Morris <jmorris@...ei.org>,
linux-integrity@...r.kernel.org, selinux@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] selinux: measure state and policy capabilities
On Sun, Jan 24, 2021 at 12:04 PM Lakshmi Ramasubramanian
<nramas@...ux.microsoft.com> wrote:
> On 1/22/21 1:21 PM, Paul Moore wrote:
...
> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >> index 644b17ec9e63..879a0d90615d 100644
> >> --- a/security/selinux/hooks.c
> >> +++ b/security/selinux/hooks.c
> >> @@ -7407,6 +7408,10 @@ int selinux_disable(struct selinux_state *state)
> >>
> >> selinux_mark_disabled(state);
> >>
> >> + mutex_lock(&state->policy_mutex);
> >> + selinux_ima_measure_state(state);
> >> + mutex_unlock(&state->policy_mutex);
> >
> > I'm not sure if this affects your decision to include this action in
> > the measurements, but this function is hopefully going away in the not
> > too distant future as we do away with support for disabling SELinux at
> > runtime.
> >
> > FWIW, I'm not sure it's overly useful anyway; you only get here if you
> > never had any SELinux policy/state configured and you decide to
> > disable SELinux instead of loading a policy. However, I've got no
> > objection to this code.
>
> If support for disabling SELinux at runtime will be removed, then I
> don't see a reason to trigger a measurement here. I'll remove this
> measurement.
It's currently marked as deprecated, see
Documentation/ABI/obsolete/sysfs-selinux-disable.
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists