Thread (37 messages) 37 messages, 10 authors, 2021-06-09

Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks

From: Paul Moore <paul@paul-moore.com>
Date: 2021-06-09 02:40:44
Also in: bpf, linux-fsdevel, linuxppc-dev, lkml, netdev, selinux

On Tue, Jun 8, 2021 at 7:02 AM Ondrej Mosnacek [off-list ref] wrote:
On Thu, Jun 3, 2021 at 7:46 PM Paul Moore [off-list ref] wrote:
...
quoted
It sounds an awful lot like the lockdown hook is in the wrong spot.
It sounds like it would be a lot better to relocate the hook than
remove it.
I don't see how you would solve this by moving the hook. Where do you
want to relocate it?
Wherever it makes sense.  Based on your comments it really sounded
like the hook was in a bad spot and since your approach in a lot of
this had been to remove or disable hooks I wanted to make sure that
relocating the hook was something you had considered.  Thankfully it
sounds like you have considered moving the hook - that's good.
The main obstacle is that the message containing
the SA dump is sent to consumers via a simple netlink broadcast, which
doesn't provide a facility to redact the SA secret on a per-consumer
basis. I can't see any way to make the checks meaningful for SELinux
without a major overhaul of the broadcast logic.
Fair enough.

-- 
paul moore
www.paul-moore.com
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help