lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAEjxPJ4FYD2zyOCiUSnOzf7eP5_aN0d86=R7scwUueyCMQzF-A@mail.gmail.com>
Date: Thu, 11 Sep 2025 08:19:20 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: Maxwell Bland <mbland@...orola.com>
Cc: selinux@...r.kernel.org, paul@...l-moore.com, omosnace@...hat.com, 
	netdev@...r.kernel.org, horms@...nel.org
Subject: Re: [PATCH v7 01/42] selinux: restore passing of selinux_state

On Wed, Sep 10, 2025 at 7:12 PM Maxwell Bland <mbland@...orola.com> wrote:
>
> On Thu, Aug 14, 2025 at 09:25:52AM -0400, Stephen Smalley wrote:
> > This reverts commit e67b79850fcc4eb5 ("selinux: stop passing selinux_state
> > pointers and their offspring"). This change is necessary in order to
> > support SELinux namespaces.
> >
>
> FYI, thank you for this new commit. Some "fuel for the fire":
>
> Turns out, e67b79850fcc4eb5 makes it hard to enforce immutability on the
> SELinux state / AVC cache from EL2, because the compiler likes to put
> them on the same page, leading to having the hypervisor track spinlock
> management issues, just to ensure the core selinux state remains
> unmodified.
>
> In the past (pre-2023/e67b79850fcc4eb5), it was possible to set the avc
> cache onto a separate page from the other critical selinux_state data
> during early boot, and it looks like this *may* restore that.
>
> As you likely know, the issue is without EL2 enforcement of immutability
> on the selinux_state page it is possible to just flip the enforcing bit
> via EL1 write-gadget. It may also be possible to address this whole
> issue using ARM MTE or something else.

The reason for e67b79850fcc4eb5 ("selinux: stop passing selinux_state
pointers and their offspring") was that Linus was unhappy with the
extra argument passing throughout the SELinux functions for the global
selinux_state.
Until/unless we merge my SELinux namespace series (of which this is
merely the first in the series), we don't have a compelling reason to
restore the passing of the selinux_state.
That said, placing selinux_state on a separate page from the AVC cache
should be doable via a separate patch independent of the SELinux
namespace series itself, so you could always submit a patch to do
exactly that.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ