[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhQUdU6iXrnMTGsHd4qg7DnHDVoiWE9rfOQPjNoasLBbUA@mail.gmail.com>
Date: Thu, 4 Nov 2021 15:10:28 -0400
From: Paul Moore <paul@...l-moore.com>
To: David Miller <davem@...emloft.net>
Cc: lucien.xin@...il.com, omosnace@...hat.com, netdev@...r.kernel.org,
selinux@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-sctp@...r.kernel.org, kuba@...nel.org,
marcelo.leitner@...il.com, jmorris@...ei.org,
richard_c_haines@...nternet.com
Subject: Re: [PATCHv2 net 4/4] security: implement sctp_assoc_established hook
in selinux
On Thu, Nov 4, 2021 at 7:02 AM David Miller <davem@...emloft.net> wrote:
> From: Paul Moore <paul@...l-moore.com>
> Date: Wed, 3 Nov 2021 23:17:00 -0400
> >
> > While I understand you did not intend to mislead DaveM and the netdev
> > folks with the v2 patchset, your failure to properly manage the
> > patchset's metadata *did* mislead them and as a result a patchset with
> > serious concerns from the SELinux side was merged. You need to revert
> > this patchset while we continue to discuss, develop, and verify a
> > proper fix that we can all agree on. If you decide not to revert this
> > patchset I will work with DaveM to do it for you, and that is not
> > something any of us wants.
>
> I would prefer a follow-up rathewr than a revert at this point.
>
> Please work with Xin to come up with a fix that works for both of you.
We are working with Xin (see this thread), but you'll notice there is
still not a clear consensus on the best path forward. The only thing
I am clear on at this point is that the current code in linux-next is
*not* something we want from a SELinux perspective. I don't like
leaving known bad code like this in linux-next for more than a day or
two so please revert it, now. If your policy is to merge substantive
non-network subsystem changes into the network tree without the proper
ACKs from the other subsystem maintainers, it would seem reasonable to
also be willing to revert those patches when the affected subsystems
request it.
I understand that if a patchset is being ignored you might feel the
need to act without an explicit ACK, but this particular patchset
wasn't even a day old before you merged into the netdev tree. Not to
mention that the patchset was posted during the second day of the
merge window, a time when many maintainers are busy testing code,
sending pull requests to Linus, and generally managing merge window
fallout.
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists