On Thu, Feb 1, 2018 at 10:17 AM, peter enderborg
[off-list ref] wrote:

On 01/30/2018 02:46 PM, Stephen Smalley wrote:

quoted

On Fri, 2018-01-26 at 15:32 +0100, peter.enderborg at sony.com wrote:

quoted

From: Peter Enderborg <redacted>

To be able to use rcu locks we seed to address the policydb
though a pointer. This preparation removes the export of the
policydb and send pointers to it through parameter agruments.

Just for reference, I have a patch series that does this not only for
the policydb, sidtab, and class/perm mapping, but for all of the
SELinux global state, see:
https://github.com/stephensmalley/selinux-kernel/tree/selinuxns
and in particular
https://github.com/stephensmalley/selinux-kernel/commit/c10d90b43cd720c8f8aab51007e805bf7c4f10d2
https://github.com/stephensmalley/selinux-kernel/commit/ec038a64173d56a331423b6d1564b801f0915afc
https://github.com/stephensmalley/selinux-kernel/commit/97aa5d7a05e4458bc4562c47d8f7bc4f56fbfefd

Those first three patches should have no effect on SELinux behavior.
They need to be re-based to latest selinux next branch (some minor
conflict resolution required) but I was waiting for that to advance to
something 4.15-rcX based.  I could however re-base it now if desired.

I read that as that you want me to rebase the patches on that tree? Seems to
be partly prepared but lot of changes.  Is it a moving target?

Stephen is being nice and not throwing me under the bus, but I'm most
likely the problem here.

Last summer/fall Stephen and I had a discussion about SELinux
namespacing and we talked about some of the preparatory work that
needed to be done before the namespacing work could be started.  The
namespacing work is obviously off topic for the work you are doing,
but a big part of the necessary cleanup work was the consolidation and
encapsulation of the various SELinux global state variables.  At the
time I encouraged Stephen to post this work as I felt it would be
useful independent of the namespacing work, and I think we are seeing
one reason why with the work you are doing.

I owe Stephen some review/feedback on his namespace patchset, at the
very least the global state work that he referenced with you.  I'm
just getting back from some traveling over the past week or so, let me
review the first few patches in Stephen's patchset with the idea of
getting those merged and then you can use those as a base for your
work.  From what I can see, I imagine that having Stephen's work as a
base would be helpful for you.  I'll make a promise to get Stephen
feedback by the end of next week at the latest; I'll aim for sooner.

Does that help?

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html