Received: by 10.192.165.148 with SMTP id m20csp406311imm; Fri, 20 Apr 2018 08:38:01 -0700 (PDT) X-Google-Smtp-Source: AIpwx49P8ZWpA73qYMsWr6SBqTsXX/trnkLQD5/erUQB3JQpBRjNej3FJoigXm3s/bm06dWO8V97 X-Received: by 2002:a17:902:bf41:: with SMTP id u1-v6mr6212264pls.257.1524238681336; Fri, 20 Apr 2018 08:38:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524238681; cv=none; d=google.com; s=arc-20160816; b=L4K9Hma5CdviVjMAyt24MvRzpNlVyeDQr61pgcKOEFc+3wXyDAaTZTU6gB2GxiMh5G XjI9k+/qoRfCUn1gyDVd63qt+iY6BH39RQXMXBiIVVUaYFZCPjxJ4x+YRPq1hPUJrEwT dW/pYGvdK/jSJnI5UvenLc4NMWIoVrubd8KiO+PysvFR4/NuKEgAOAW/nDeFCct0ULkz iZOlqqb0D8VVFmoxo0tJuu+jbktGF2FRWgL4X6H/hNAq3cnK2+T5WbWUwBwBbmTiZvW5 p8XuN4ufqo+MAWdcso5dhDdJg7e5nMnOmbfXorW1BbKva7bj4jQj0IrS7INjs1cPZydB 7q4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-id:mime-version :subject:cc:to:references:in-reply-to:from:organization :arc-authentication-results; bh=fBD5/R7T3bp3EuC48b/JcIXi+jk1OetImgvaLq4KM3g=; b=yjY7fdQfYc4l58inzF+QyFVYP7BPL1RhBKGitS2OxdXVUEXdUTO6ItZvMi5Z3al3QX ukBxVhgrZU8YxFmkSZq3dpUxm2J1C/5Sh140EAiESLVwLYWqX9+YxwrwqNFM1yVmAB4S iQQeg70p+zOgDN85fCdehTdunWKADLk/UTbQdYyzniATVbKWPSM7MUyPST6aY3LN+slw ug8PeQ8j8QgowYbRhQkClVefrJmLgYGKfFUkeNs/cwdNTo7dvq16qspUZccvrezAjTHt Wy/M3fUeRJKOoiNDYf1LubB+dulOradXh1vDXUqhUx8iLZNe+4elKa9M0/URS05iC0fB GKBQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v12-v6si6040784plg.180.2018.04.20.08.37.47; Fri, 20 Apr 2018 08:38:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755854AbeDTPfQ (ORCPT + 99 others); Fri, 20 Apr 2018 11:35:16 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:41916 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755665AbeDTPfO (ORCPT ); Fri, 20 Apr 2018 11:35:14 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 99E2281A88BC; Fri, 20 Apr 2018 15:35:13 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-121-60.rdu2.redhat.com [10.10.121.60]) by smtp.corp.redhat.com (Postfix) with ESMTP id 52F4BAFD6B; Fri, 20 Apr 2018 15:35:12 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <152414466005.23902.12967974041384198114.stgit@warthog.procyon.org.uk> <152414469006.23902.8132059438921850399.stgit@warthog.procyon.org.uk> To: Paul Moore Cc: dhowells@redhat.com, viro@zeniv.linux.org.uk, linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-afs@lists.infradead.org, selinux@tycho.nsa.gov Subject: Re: [PATCH 04/24] VFS: Add LSM hooks for filesystem context [ver #7] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3231.1524238511.1@warthog.procyon.org.uk> Date: Fri, 20 Apr 2018 16:35:11 +0100 Message-ID: <3232.1524238511@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Fri, 20 Apr 2018 15:35:13 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Fri, 20 Apr 2018 15:35:13 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Paul Moore wrote: > Adding the SELinux mailing list to the CC line; in the future please > include the SELinux mailing list on patches like this. It would also > be very helpful to include "selinux" somewhere in the subject line > when the patch is predominately SELinux related (much like you did for > the other LSMs in this patchset). I should probably evict the SELinux bits into their own patch since the point of this patch is the LSM hooks, not specifically SELinux's implementation thereof. > I can't say I've digested all of this yet, but what SELinux testing > have you done with this patchset? Using the fsopen()/fsmount() syscalls, these hooks will be made use of, say for NFS (which I haven't included in this list). Even sys_mount() will make use of them a bit, so just booting the system does that. Note that for SELinux these hooks don't change very much except how the parameters are handled. It doesn't actually change the checks that are made - at least, not yet. There are some additional syscalls under consideration (such as the ability to pick a live mounted filesystem into a context) that might require additional permits. David