[PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls

James Morris jmorris at namei.org
Tue Jan 29 17:25:06 UTC 2019


On Mon, 28 Jan 2019, Micah Morton wrote:

> FWIW, I've now done a manual test of this LSMs functionality on a
> Linux VM built from the next-general branch. Adding policies, policy
> enforcement by the LSM, and flushing policies all worked as intended.
> 
> So there hopefully won't be any more surprises.

It would be useful to publish these as a testsuite, or include a test 
script in the kernel tree.


> 
> On Mon, Jan 28, 2019 at 12:19 PM Micah Morton <mortonm at chromium.org> wrote:
> >
> > On Mon, Jan 28, 2019 at 11:56 AM Kees Cook <keescook at chromium.org> wrote:
> > >
> > > On Tue, Jan 29, 2019 at 8:47 AM Micah Morton <mortonm at chromium.org> wrote:
> > > >
> > > > I'm getting the following crash when booting after compiling a kernel
> > > > with this LSM enabled, so I'll have to figure out what is going on.
> > > > All the "core" functionality of this LSM has been tested thoroughly
> > > > (we're already using this LSM on ChromeOS), but looks like there's
> > > > some debugging of the initialization that still needs to be done.
> > >
> > >
> > > +DEFINE_LSM(safesetid_security_init) = {
> > > +       .init = safesetid_security_init,
> > > +};
> > >
> > > I think this is from not having:
> > >
> > > .name = "safesetid",
> >
> > That fixed it for me! Thanks
> >
> > >
> > > I missed that in the review, sorry!
> > >
> > > --
> > > Kees Cook
> 

-- 
James Morris
<jmorris at namei.org>



More information about the Linux-security-module-archive mailing list