Date: Tue, 24 Apr 2018 18:35:18 +0400 From: Igor Stoppa <igor.stoppa@...il.com> To: Stephen Smalley <sds@...ho.nsa.gov>, willy@...radead.org, keescook@...omium.org, paul@...l-moore.com, mhocko@...nel.org, corbet@....net Cc: labbott@...hat.com, david@...morbit.com, rppt@...ux.vnet.ibm.com, linux-security-module@...r.kernel.org, linux-mm@...ck.org, linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com, Igor Stoppa <igor.stoppa@...wei.com> Subject: Re: [PATCH 9/9] Protect SELinux initialized state with pmalloc On 24/04/18 16:49, Stephen Smalley wrote: > On 04/23/2018 08:54 AM, Igor Stoppa wrote: [...] >> The patch is probably in need of rework, to make it fit better with the >> new SELinux internal data structures, however it shows how to deny an >> easy target to the attacker. > > I know this is just an example, but not sure why you wouldn't just protect the > entire selinux_state. Because I have much more to discuss about SELinux, which would involve the whole state, the policyDB and the AVC I will start a separate thread about that. This was merely as simple as possible example of the use of the API. I just wanted to have a feeling about how it would be received :-) > Note btw that the selinux_state encapsulation is preparatory work > for selinux namespaces , at which point the structure is in fact dynamically allocated > and there can be multiple instances of it. That however is work-in-progress, highly experimental, > and might not ever make it upstream (if we can't resolve the various challenges it poses in a satisfactory > way). Yes, I am aware of this and I would like to discuss also in the light of the future directions. I just didn't want to waste too much time on something that you might want to change radically in a month :-) I already was caught once by surprise when ss_initalized disappeared just when I had a patch ready for it :-) -- igor
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.