diff mbox series

selinux: bring the comment about multithreaded process handling back

Message ID 20231130084453.970742-1-kamatam@amazon.com (mailing list archive)
State Changes Requested
Delegated to: Paul Moore
Headers show
Series selinux: bring the comment about multithreaded process handling back | expand

Commit Message

Munehisa Kamata Nov. 30, 2023, 8:44 a.m. UTC
Since commit d9250dea3f89 ("SELinux: add boundary support and thread
context assignment"), SELinux has been supporting assigning per-thread
security context under a constraint and the comment was updated
accordingly. However, seems like commit d84f4f992cbd ("CRED: Inaugurate
COW credentials") accidentally brought the old comment back that doesn't
match what the code does.

This just brings the updated comment back and does nothing else.

Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
---
 security/selinux/hooks.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Comments

Paul Moore Dec. 5, 2023, 10:44 p.m. UTC | #1
On Thu, Nov 30, 2023 at 3:45 AM Munehisa Kamata <kamatam@amazon.com> wrote:
>
> Since commit d9250dea3f89 ("SELinux: add boundary support and thread
> context assignment"), SELinux has been supporting assigning per-thread
> security context under a constraint and the comment was updated
> accordingly. However, seems like commit d84f4f992cbd ("CRED: Inaugurate
> COW credentials") accidentally brought the old comment back that doesn't
> match what the code does.
>
> This just brings the updated comment back and does nothing else.
>
> Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
> Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
> ---
>  security/selinux/hooks.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 855589b64641..d147f8ac9d9d 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6459,7 +6459,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
>                 if (sid == 0)
>                         goto abort_change;
>
> -               /* Only allow single threaded processes to change context */
> +               /*
> +                * SELinux allows to change context in the following case only.
> +                *  - Single threaded processes.
> +                *  - Multi threaded processes intend to change its context into
> +                *    more restricted domain (defined by TYPEBOUNDS statement).
> +                */

Hi Munehisa, good catch :)

Considering the ease of understanding the code below (the naming makes
it pretty obvious what the functions do), I think I'd rather see the
wrong comment simply removed with nothing added back to replace it.
Does that sound good to you, and if so would you mind sending an
updated patch?

>                 if (!current_is_single_threaded()) {
>                         error = security_bounded_transition(tsec->sid, sid);
>                         if (error)
> --
> 2.40.1
diff mbox series

Patch

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 855589b64641..d147f8ac9d9d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6459,7 +6459,12 @@  static int selinux_setprocattr(const char *name, void *value, size_t size)
 		if (sid == 0)
 			goto abort_change;
 
-		/* Only allow single threaded processes to change context */
+		/*
+		 * SELinux allows to change context in the following case only.
+		 *  - Single threaded processes.
+		 *  - Multi threaded processes intend to change its context into
+		 *    more restricted domain (defined by TYPEBOUNDS statement).
+		 */
 		if (!current_is_single_threaded()) {
 			error = security_bounded_transition(tsec->sid, sid);
 			if (error)