On Sat, 25 Mar 2006, Linux Kernel Mailing List wrote:
> commit 8c8570fb8feef2bc166bee75a85748b25cda22d9
> tree ed783d405ea9d5f3d3ccc57fb56c7b7cb2cdfb82
> parent c8edc80c8b8c397c53f4f659a05b9ea6208029bf
> author Dustin Kirkland <[email protected]> Thu, 03 Nov 2005 17:15:16 +0000
> committer Al Viro <[email protected]> Tue, 21 Mar 2006 00:08:54 -0500
>
> [PATCH] Capture selinux subject/object context information.
>
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -869,6 +869,11 @@ struct swap_info_struct;
> * @ipcp contains the kernel IPC permission structure
> * @flag contains the desired (requested) permission set
> * Return 0 if permission is granted.
> + * @ipc_getsecurity:
> + * Copy the security label associated with the ipc object into
> + * @buffer. @buffer may be NULL to request the size of the buffer
> + * required. @size indicates the size of @buffer in bytes. Return
> + * number of bytes used/required on success.
I may have missed it, but was this change discussed on the LSM list?
> + char *(*inode_xattr_getsuffix) (void);
Not documented?
> static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
> - if (err > 0) {
> - if ((len == err) && !(memcmp(context, buffer, len))) {
> - /* Don't need to canonicalize value */
> - rc = err;
> - goto out_free;
> - }
> - memset(buffer, 0, size);
> - }
Where did this functionality go?
- James
--
James Morris
<[email protected]>
On Mon, 2006-03-27 at 02:28 -0500, James Morris wrote:
> On Sat, 25 Mar 2006, Linux Kernel Mailing List wrote:
>
> > commit 8c8570fb8feef2bc166bee75a85748b25cda22d9
> > tree ed783d405ea9d5f3d3ccc57fb56c7b7cb2cdfb82
> > parent c8edc80c8b8c397c53f4f659a05b9ea6208029bf
> > author Dustin Kirkland <[email protected]> Thu, 03 Nov 2005 17:15:16 +0000
> > committer Al Viro <[email protected]> Tue, 21 Mar 2006 00:08:54 -0500
> >
> > [PATCH] Capture selinux subject/object context information.
> >
>
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -869,6 +869,11 @@ struct swap_info_struct;
> > * @ipcp contains the kernel IPC permission structure
> > * @flag contains the desired (requested) permission set
> > * Return 0 if permission is granted.
> > + * @ipc_getsecurity:
> > + * Copy the security label associated with the ipc object into
> > + * @buffer. @buffer may be NULL to request the size of the buffer
> > + * required. @size indicates the size of @buffer in bytes. Return
> > + * number of bytes used/required on success.
>
> I may have missed it, but was this change discussed on the LSM list?
No, it was discussed on redhat-lspp and linux-audit.
>
> > + char *(*inode_xattr_getsuffix) (void);
>
> Not documented?
>
> > static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
>
> > - if (err > 0) {
> > - if ((len == err) && !(memcmp(context, buffer, len))) {
> > - /* Don't need to canonicalize value */
> > - rc = err;
> > - goto out_free;
> > - }
> > - memset(buffer, 0, size);
> > - }
>
> Where did this functionality go?
I raised the same concern in Dec (subj: audit patches in -mm that alter
current SELinux behavior), but concluded that falling through to
selinux_getsecurity() in all cases does no harm and the real cost here
is in the generation of the context string, so we don't save much by the
shortcut that was removed above.
--
Stephen Smalley
National Security Agency