| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6cfe4uqtic6ga3ch463zflke2wp5hobd7j3r5ctyp4puwbjiet@xgi6jfi7au3c>
Date: Wed, 10 Sep 2025 18:12:05 -0500
From: Maxwell Bland <mbland@...orola.com>
To: Stephen Smalley <stephen.smalley.work@...il.com>
Cc: selinux@...r.kernel.org, paul@...l-moore.com, omosnace@...hat.com,
netdev@...r.kernel.org, horms@...nel.org
Subject: Re: [PATCH v7 01/42] selinux: restore passing of selinux_state
On Thu, Aug 14, 2025 at 09:25:52AM -0400, Stephen Smalley wrote:
> This reverts commit e67b79850fcc4eb5 ("selinux: stop passing selinux_state
> pointers and their offspring"). This change is necessary in order to
> support SELinux namespaces.
>
FYI, thank you for this new commit. Some "fuel for the fire":
Turns out, e67b79850fcc4eb5 makes it hard to enforce immutability on the
SELinux state / AVC cache from EL2, because the compiler likes to put
them on the same page, leading to having the hypervisor track spinlock
management issues, just to ensure the core selinux state remains
unmodified.
In the past (pre-2023/e67b79850fcc4eb5), it was possible to set the avc
cache onto a separate page from the other critical selinux_state data
during early boot, and it looks like this *may* restore that.
As you likely know, the issue is without EL2 enforcement of immutability
on the selinux_state page it is possible to just flip the enforcing bit
via EL1 write-gadget. It may also be possible to address this whole
issue using ARM MTE or something else.
Regards,
Maxwell Bland
Powered by blists - more mailing lists