mbox series

[v2,0/3] Split security_task_getsecid() into subj and obj variants

Message ID 161609713992.55424.6906498317563652734.stgit@olly (mailing list archive)
Headers show
Series Split security_task_getsecid() into subj and obj variants | expand

Message

Paul Moore March 18, 2021, 8:42 p.m. UTC
An update on the previous RFC patchset found here:

https://lore.kernel.org/linux-security-module/161377712068.87807.12246856567527156637.stgit@sifl/

Aside from being rebased to the current SELinux next branch (which
in turn is based on v5.12-rc2), this revision changes the binder
related code to always use the objective credentials as discussed
in the thread above.  I've also dropped the AppArmor patch as John
has a better version in progress; in the meantime AppArmor should
continue to work exactly as it did before this patchset so there
is no harm in merging this without the AppArmor patch.

Casey, John, and Richard; I dropped your ACKs, Reviewed-by, etc.
tags as the binder changes seemed substantial enough to not
carryover your tags.  I would appreciate it if you could re-review
this revision; the changes should be minimal.  I did leave Mimi's
tag on this revision as she qualified it for IMA and that code
didn't change.

---

Paul Moore (3):
      lsm: separate security_task_getsecid() into subjective and objective variants
      selinux: clarify task subjective and objective credentials
      smack: differentiate between subjective and objective task credentials


 security/selinux/hooks.c   | 112 ++++++++++++++++++++++++-------------
 security/smack/smack.h     |  18 +++++-
 security/smack/smack_lsm.c |  40 ++++++++-----
 3 files changed, 117 insertions(+), 53 deletions(-)

Comments

Paul Moore March 22, 2021, 7:29 p.m. UTC | #1
On Thu, Mar 18, 2021 at 4:42 PM Paul Moore <paul@paul-moore.com> wrote:
>
> An update on the previous RFC patchset found here:
>
> https://lore.kernel.org/linux-security-module/161377712068.87807.12246856567527156637.stgit@sifl/
>
> Aside from being rebased to the current SELinux next branch (which
> in turn is based on v5.12-rc2), this revision changes the binder
> related code to always use the objective credentials as discussed
> in the thread above.  I've also dropped the AppArmor patch as John
> has a better version in progress; in the meantime AppArmor should
> continue to work exactly as it did before this patchset so there
> is no harm in merging this without the AppArmor patch.
>
> Casey, John, and Richard; I dropped your ACKs, Reviewed-by, etc.
> tags as the binder changes seemed substantial enough to not
> carryover your tags.  I would appreciate it if you could re-review
> this revision; the changes should be minimal.  I did leave Mimi's
> tag on this revision as she qualified it for IMA and that code
> didn't change.
>
> ---
>
> Paul Moore (3):
>       lsm: separate security_task_getsecid() into subjective and objective variants
>       selinux: clarify task subjective and objective credentials
>       smack: differentiate between subjective and objective task credentials
>
>
>  security/selinux/hooks.c   | 112 ++++++++++++++++++++++++-------------
>  security/smack/smack.h     |  18 +++++-
>  security/smack/smack_lsm.c |  40 ++++++++-----
>  3 files changed, 117 insertions(+), 53 deletions(-)

All three patches have been merged into selinux/next, thanks for the
help/review everyone!