Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2469000pxa; Mon, 24 Aug 2020 15:21:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz8aRW7Axq/8z+kaO/ppnFRwMAVvH3vsYHJpC6UyqAzP9ONq04EBkYTaSP+6fgSnNNAfoAT X-Received: by 2002:a17:906:ca8c:: with SMTP id js12mr7787185ejb.195.1598307687040; Mon, 24 Aug 2020 15:21:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598307687; cv=none; d=google.com; s=arc-20160816; b=XWG15/dfP+8kZr6Qm54Nm40xrW4Q051DQyx7HEk1I8wMEXiyYRW9Hn+jufIfi4VdCN Dc31gCUxELAPnDpcEY5/7o4vWvATZ02CDyuDi6FnTEogojzRweVTiL6xZCNML/fMzwER qkpXXPdZartOOt/x+Si3RNMgyvJ5Nin3+sN8EMTCkwCJF3aF7t0+ghAey7640egcKo2s 9U9v8AHHEuFijLEWVxagsBHg5OtjKIx0N2QLsmbxpg/8OZ5NjpbFX53gr0KDCqZM09iZ /0DKJ/rHPw0/1fywI1CRckftYaTHqHB7yoQ7rovz7tQlSCMZUoGBkNAO9lBnSman6tq7 kkYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=zbf1ipuYiVgdUWQ8HAa35vLjx5URShNXD1uA8qol15c=; b=0vTRqbmVmwcjkDQs3Xq8K2RuGBQlGSwXcee4u4S79GS+8+LIjJhWH+VK8RiaoaAeef zOXEEe26VOBPJdGfQ/M3AdR2oKMUlCVoNeoKmIS1zaC/VvIsYMFr5lTojIuc53vWd8zC PYm6X+YXgVrMEnWsmgJqhx6ss45/l1MfzF2inyifpeQhmazdhwP9Zzm8lgJUveOacvXK RFNpcruAJWPk39TWcpSdBnSQwu9GcK67oB0Qjd9NshAHMx8F+T5y6jJ8PV5rRydtrfNu PEQSr7hObOLRJQjYlVtGw836r9ggJUNPwRjeQV8vXPPfhy7gamQYskDTzQw8lLOaeapk ZNvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=q8aqKNgA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n1si7759073ejb.57.2020.08.24.15.21.04; Mon, 24 Aug 2020 15:21:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=q8aqKNgA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726541AbgHXWSY (ORCPT + 99 others); Mon, 24 Aug 2020 18:18:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50640 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726519AbgHXWST (ORCPT ); Mon, 24 Aug 2020 18:18:19 -0400 Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com [IPv6:2a00:1450:4864:20::642]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1CD4BC061755 for ; Mon, 24 Aug 2020 15:18:19 -0700 (PDT) Received: by mail-ej1-x642.google.com with SMTP id m22so13879029eje.10 for ; Mon, 24 Aug 2020 15:18:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zbf1ipuYiVgdUWQ8HAa35vLjx5URShNXD1uA8qol15c=; b=q8aqKNgAlrJcW1DfAsWkK0x70/h9sqAj6sG9yqn4l/81Q41m4/G0P59I57LZClkaXi CPRLqLU/FdeEg+A0IImj5/xmgMzpxLzV0U9aJUwFuwU3geGJYK3FSk86WpPspnvnCuHc lw2P/Pm6qanEAdo3l1ruLGUEqfthWuBXvPR7BlqcKs2ZOdJXVKdhy5zbtJGbRokQ+hlf Rc/Zp2cKm0uj5jtbaIIJ7vTYZl3New8ZpWpAvBSNXx6c6BJLfSJczOJCxTqywbT6jrff qDtfZZQwwLNKFMrIDwZ5J/yokHCrMA2+vPPJ17xngNIpCph3FoV8syaw2e0zK33I2uSz IaJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zbf1ipuYiVgdUWQ8HAa35vLjx5URShNXD1uA8qol15c=; b=BvJXyckQzMtwqkpNACwt/STQXtqznQGZsN/WH5JJ0Fdwes7tjelWg4GgeL8SHljk7D 0ewCXgVVjQENMpV72HH/0HatmXPAhJIbYudU6KQ3moBp5b0P8dZBEWdab48tnxcw2JjP AapafI9zs40TdM7VaMzSJuJzUOimCVJw9GpPglulMncXCZe4tdGIL6SOf/sOppXRx8Av Yz8UptnIrn2K8VV1gJygcStLQZORjSPdo0TmutiC6xeQKNb+a/qRiCZefg2h616r9pTI JC9kDYHDiogL0yxsH2dri0f2bVa/f89uvbmdPNKw5yvHdHceFbDn3XC9HmK7QOQ30H2u BDww== X-Gm-Message-State: AOAM531R1+l87ddD3sNdMnoSaCw22HV90nTWrhHfIegXZJxmtYfgNNCG PVNQHZS/O7orF/5+uK0OrXthLhoNo/taNo5chuBV X-Received: by 2002:a17:906:e0e:: with SMTP id l14mr7179237eji.398.1598307497548; Mon, 24 Aug 2020 15:18:17 -0700 (PDT) MIME-Version: 1.0 References: <20200822010018.19453-1-nramas@linux.microsoft.com> <418618c4-a0c6-6b28-6718-2726a29b83c5@linux.microsoft.com> In-Reply-To: From: Paul Moore Date: Mon, 24 Aug 2020 18:18:05 -0400 Message-ID: Subject: Re: [PATCH] SELinux: Measure state and hash of policy using IMA To: Lakshmi Ramasubramanian Cc: Ondrej Mosnacek , Stephen Smalley , Mimi Zohar , Casey Schaufler , Tyler Hicks , tusharsu@linux.microsoft.com, Sasha Levin , James Morris , linux-integrity@vger.kernel.org, SElinux list , LSM List , linux-kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 24, 2020 at 5:29 PM Lakshmi Ramasubramanian wrote: > On 8/24/20 1:01 PM, Ondrej Mosnacek wrote: > > On Mon, Aug 24, 2020 at 9:30 PM Stephen Smalley > > wrote: > >> On Mon, Aug 24, 2020 at 2:13 PM Lakshmi Ramasubramanian > >> wrote: > >>> On 8/24/20 7:00 AM, Stephen Smalley wrote: ... > >>> Is Ondrej's re-try approach I need to use to workaround policy reload issue? > >> > >> No, I think perhaps we should move the mutex to selinux_state instead > >> of selinux_fs_info. selinux_fs_info has a pointer to selinux_state so > >> it can then use it indirectly. Note that your patches are going to > >> conflict with other ongoing work in the selinux next branch that is > >> refactoring policy load and converting the policy rwlock to RCU. > > > > Yeah, and I'm experimenting with a patch on top of Stephen's RCU work > > that would allow you to do this in a straightforward way without even > > messing with the fsi->mutex. My patch may or may not be eventually > > committed, but either way I'd recommend holding off on this for a > > while until the dust settles around the RCU conversion. > > I can make the SELinux\IMA changes in "selinux next branch" taking > dependencies on Stephen's patches + relevant IMA patches. I know it can be frustrating to hear what I'm about to say, but the best option is probably just to wait a little to let things settle in the SELinux -next branch. There is a lot of stuff going on right now with patches flooding in (at least "flooding" from a SELinux kernel development perspective) and we/I've haven't gotten through all of them yet. > Could you please let me know the URL to the "selinux next branch"? git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next -- paul moore www.paul-moore.com