| Message ID | 20231130084453.970742-1-kamatam@amazon.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | selinux: bring the comment about multithreaded process handling back | expand |
On Thu, Nov 30, 2023 at 3:45 AM Munehisa Kamata <kamatam@amazon.com> wrote: > > Since commit d9250dea3f89 ("SELinux: add boundary support and thread > context assignment"), SELinux has been supporting assigning per-thread > security context under a constraint and the comment was updated > accordingly. However, seems like commit d84f4f992cbd ("CRED: Inaugurate > COW credentials") accidentally brought the old comment back that doesn't > match what the code does. > > This just brings the updated comment back and does nothing else. > > Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") > Signed-off-by: Munehisa Kamata <kamatam@amazon.com> > --- > security/selinux/hooks.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 855589b64641..d147f8ac9d9d 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -6459,7 +6459,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) > if (sid == 0) > goto abort_change; > > - /* Only allow single threaded processes to change context */ > + /* > + * SELinux allows to change context in the following case only. > + * - Single threaded processes. > + * - Multi threaded processes intend to change its context into > + * more restricted domain (defined by TYPEBOUNDS statement). > + */ Hi Munehisa, good catch :) Considering the ease of understanding the code below (the naming makes it pretty obvious what the functions do), I think I'd rather see the wrong comment simply removed with nothing added back to replace it. Does that sound good to you, and if so would you mind sending an updated patch? > if (!current_is_single_threaded()) { > error = security_bounded_transition(tsec->sid, sid); > if (error) > -- > 2.40.1
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 855589b64641..d147f8ac9d9d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6459,7 +6459,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) if (sid == 0) goto abort_change; - /* Only allow single threaded processes to change context */ + /* + * SELinux allows to change context in the following case only. + * - Single threaded processes. + * - Multi threaded processes intend to change its context into + * more restricted domain (defined by TYPEBOUNDS statement). + */ if (!current_is_single_threaded()) { error = security_bounded_transition(tsec->sid, sid); if (error)
Since commit d9250dea3f89 ("SELinux: add boundary support and thread context assignment"), SELinux has been supporting assigning per-thread security context under a constraint and the comment was updated accordingly. However, seems like commit d84f4f992cbd ("CRED: Inaugurate COW credentials") accidentally brought the old comment back that doesn't match what the code does. This just brings the updated comment back and does nothing else. Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Signed-off-by: Munehisa Kamata <kamatam@amazon.com> --- security/selinux/hooks.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)