| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhRzT_5HNOHx78v99VKqtiPN9MC8My4g4nRgUNnPh9xXOw@mail.gmail.com> Date: Mon, 2 Dec 2024 22:26:59 -0500 From: Paul Moore <paul@...l-moore.com> To: Christian Göttsche <cgzones@...glemail.com> Cc: selinux@...r.kernel.org, Stephen Smalley <stephen.smalley.work@...il.com>, Ondrej Mosnacek <omosnace@...hat.com>, Thiébaud Weksteen <tweek@...gle.com>, Bram Bonné <brambonne@...gle.com>, Jacob Satterfield <jsatterfield.linux@...il.com>, Eric Suen <ericsu@...ux.microsoft.com>, Casey Schaufler <casey@...aufler-ca.com>, John Johansen <john.johansen@...onical.com>, Canfeng Guo <guocanfeng@...ontech.com>, GUO Zihua <guozihua@...wei.com>, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] selinux: add support for xperms in conditional policies On Thu, Nov 28, 2024 at 7:49 AM Christian Göttsche <cgzones@...glemail.com> wrote: > On Thu, 31 Oct 2024 at 23:20, Paul Moore <paul@...l-moore.com> wrote: > > On Wed, Oct 23, 2024 at 11:27 AM Christian Göttsche > > <cgoettsche@...tendoof.de> wrote: > > > > > > From: Christian Göttsche <cgzones@...glemail.com> > > > > > > Add support for extended permission rules in conditional policies. > > > Currently the kernel accepts such rules already, but evaluating a > > > security decision will hit a BUG() in > > > services_compute_xperms_decision(). Thus reject extended permission > > > rules in conditional policies for current policy versions. > > > > > > Add a new policy version for this feature. > > > > > > Signed-off-by: Christian Göttsche <cgzones@...glemail.com> > > > --- > > > v2: > > > rebased onto the netlink xperm patch > > > --- > > > security/selinux/include/security.h | 3 ++- > > > security/selinux/ss/avtab.c | 11 +++++++++-- > > > security/selinux/ss/avtab.h | 2 +- > > > security/selinux/ss/conditional.c | 2 +- > > > security/selinux/ss/policydb.c | 5 +++++ > > > security/selinux/ss/services.c | 12 ++++++++---- > > > 6 files changed, 26 insertions(+), 9 deletions(-) > > > > This looks fine to me, but I believe there are some outstanding > > userspace issues that need to be resolved? > > Hi, > > I know it's very late in the development cycle, but I wanted to ask if > there is a chance this could be merged for 6.13? I'm sorry, but it is/was too late for those changes to be merged into the kernel. I'm sure you've seen this already, but the process is documented in the README.md file which is linked below: * https://github.com/SELinuxProject/selinux-kernel/blob/main/README.md The relevant potion is copied below: "During the development cycle that starts with the close of the kernel merge window and ends with the tagged kernel release, patches will be accepted into the stable-X.Y and dev branches as described in their respective sections in this document. While patches will be accepted into the stable-X.Y branch at any point in time, significant changes will likely not be accepted into the dev branch when there are two or less weeks left in the development cycle; this typically means that only critical bugfixes are accepted once the vX.Y-rc6 kernel is released." > The userspace patches are merged and currently part of 3.8-rc1, and > these kernel changes are quite simple, since most of the needed > functionality was already in place. > I created a testsuite patch over at > https://github.com/SELinuxProject/selinux-testsuite/pull/98. Thank you! -- paul-moore.com
Powered by blists - more mailing lists