Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751529AbbD2VQ4 (ORCPT ); Wed, 29 Apr 2015 17:16:56 -0400 Received: from mail-oi0-f43.google.com ([209.85.218.43]:33443 "EHLO mail-oi0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750969AbbD2VQz (ORCPT ); Wed, 29 Apr 2015 17:16:55 -0400 MIME-Version: 1.0 X-Originating-IP: [195.103.6.242] In-Reply-To: <20150424020830.GC25549@pix> References: <20150413190350.GA9485@kroah.com> <20150423130548.GA4253@kroah.com> <20150423163616.GA10874@kroah.com> <20150423171640.GA11227@kroah.com> <55392F01.1090307@tycho.nsa.gov> <20150423193013.GA14365@kroah.com> <20150424020830.GC25549@pix> Date: Wed, 29 Apr 2015 23:16:54 +0200 Message-ID: Subject: Re: [GIT PULL] kdbus for 4.1-rc1 From: Paul Moore To: Karol Lewandowski Cc: Greg Kroah-Hartman , Paul Osmialowski , Stephen Smalley , Karol Lewandowski , Andy Lutomirski , Linus Torvalds , Andrew Morton , Arnd Bergmann , "Eric W. Biederman" , One Thousand Gnomes , Tom Gundersen , Jiri Kosina , "linux-kernel@vger.kernel.org" , Daniel Mack , David Herrmann , Djalal Harouni , k.lewandowsk@samsung.com Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2368 Lines: 49 On Fri, Apr 24, 2015 at 4:08 AM, Karol Lewandowski wrote: > On Thu, Apr 23, 2015 at 09:30:13PM +0200, Greg Kroah-Hartman wrote: >> On Thu, Apr 23, 2015 at 01:42:25PM -0400, Stephen Smalley wrote: >> > On 04/23/2015 01:16 PM, Greg Kroah-Hartman wrote: >> > > The binder developers at Samsung have stated that the implementation we >> > > have here works for their model as well, so I guess that is some kind of >> > > verification it's not entirely tied to D-Bus. They have plans on >> > > dropping the existing binder kernel code and using the kdbus code >> > > instead when it is merged. >> > >> > Where do things stand wrt LSM hooks for kdbus? I don't see any security >> > hook calls in the kdbus tree except for the purpose of metadata >> > collection of process security labels. But nothing for enforcing MAC >> > over kdbus IPC. binder has a set of security hooks for that purpose, so >> > it would be a regression wrt MAC enforcement to switch from binder to >> > kdbus without equivalent checking there. >> >> There was a set of LSM hooks proposed for kdbus posted by Karol >> Lewandowsk last October, and it also included SELinux and Smack patches. >> They were going to be refreshed based on the latest code changes, but I >> haven't seen them posted, or I can't seem to find them in my limited >> email archive. > > We have been waiting for right moment with these. :-) > >> Karol, what's the status of them? > > I have handed patchset over to Paul Osmialowski who started rework it for v4 > relatively recently. I think it shouldn't be that hard to post updated version... > > Paul? Different Paul here, but very interested in the LSM and SELinux hooks for obvious reasons; at a bare minimum please CC the LSM list on the kdbus hooks, and preferably the SELinux list as well. The initial SELinux hooks I threw together were just a rough first pass, we (the LSM and SELinux folks) need to have a better discussion about how to provide the necessary access controls for kdbus ... preferably before it finds its way into a released kernel. -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/