[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhQ+SmaYB-1zz2q9j1XJeAFaY+emn_KoNiXxqJDt6wjT0w@mail.gmail.com>
Date: Thu, 31 Oct 2024 18:20:16 -0400
From: Paul Moore <paul@...l-moore.com>
To: cgzones@...glemail.com, selinux@...r.kernel.org
Cc: Stephen Smalley <stephen.smalley.work@...il.com>, Ondrej Mosnacek <omosnace@...hat.com>,
Thiébaud Weksteen <tweek@...gle.com>,
Bram Bonné <brambonne@...gle.com>,
Jacob Satterfield <jsatterfield.linux@...il.com>, Eric Suen <ericsu@...ux.microsoft.com>,
Casey Schaufler <casey@...aufler-ca.com>, John Johansen <john.johansen@...onical.com>,
Canfeng Guo <guocanfeng@...ontech.com>, GUO Zihua <guozihua@...wei.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] selinux: add support for xperms in conditional policies
On Wed, Oct 23, 2024 at 11:27 AM Christian Göttsche
<cgoettsche@...tendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@...glemail.com>
>
> Add support for extended permission rules in conditional policies.
> Currently the kernel accepts such rules already, but evaluating a
> security decision will hit a BUG() in
> services_compute_xperms_decision(). Thus reject extended permission
> rules in conditional policies for current policy versions.
>
> Add a new policy version for this feature.
>
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
> v2:
> rebased onto the netlink xperm patch
> ---
> security/selinux/include/security.h | 3 ++-
> security/selinux/ss/avtab.c | 11 +++++++++--
> security/selinux/ss/avtab.h | 2 +-
> security/selinux/ss/conditional.c | 2 +-
> security/selinux/ss/policydb.c | 5 +++++
> security/selinux/ss/services.c | 12 ++++++++----
> 6 files changed, 26 insertions(+), 9 deletions(-)
This looks fine to me, but I believe there are some outstanding
userspace issues that need to be resolved?
--
paul-moore.com
Powered by blists - more mailing lists