| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhQFn1cE39YuXNxssttu1tU6oXWsYjGLSzD496Wa5-Gs5A@mail.gmail.com>
Date: Mon, 17 Jul 2023 16:21:49 -0400
From: Paul Moore <paul@...l-moore.com>
To: Christian Göttsche <cgzones@...glemail.com>
Cc: selinux@...r.kernel.org,
Stephen Smalley <stephen.smalley.work@...il.com>,
Eric Paris <eparis@...isplace.org>,
linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH] selinux: disable debug functions by default
On Thu, Jul 6, 2023 at 9:37 AM Christian Göttsche
<cgzones@...glemail.com> wrote:
>
> avtab_hash_eval() and hashtab_stat() are only used in policydb.c when
> the debug macro DEBUG_HASHES is defined.
>
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
> security/selinux/ss/avtab.c | 2 ++
> security/selinux/ss/avtab.h | 3 +++
> security/selinux/ss/hashtab.c | 3 ++-
> security/selinux/ss/hashtab.h | 2 ++
> 4 files changed, 9 insertions(+), 1 deletion(-)
This reminds me that I don't really like the "hidden" and kludgy
nature of DEBUG_HASHES. What if we created a proper SELinux debug
Kconfig flag and used it in place of DEBUG_HASHES? I'm thinking of
something like this:
config SECURITY_SELINUX_DEBUG
bool "NSA SELinux kernel debugging support"
depends on SECURITY_SELINUX
default n
help
This enables debugging code designed to help SELinux kernel developers,
unless you know what this does in the kernel code you should leave this
disabled.
... and then we do all of the usual Kconfig triggered dummy funcs,
etc. Thoughts?
--
paul-moore.com
Powered by blists - more mailing lists