Preferred subj= with multiple LSMs
Casey Schaufler
casey at schaufler-ca.com
Tue Jul 16 23:47:45 UTC 2019
On 7/16/2019 4:13 PM, Paul Moore wrote:
> On Tue, Jul 16, 2019 at 6:18 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> It sounds as if some variant of the Hideous format:
>>
>> subj=selinux='a:b:c:d',apparmor='z'
>> subj=selinux/a:b:c:d/apparmor/z
>> subj=(selinux)a:b:c:d/(apparmor)z
>>
>> would meet Steve's searchability requirements, but with significant
>> parsing performance penalties.
> I think "hideous format" sums it up nicely. Whatever we choose here
> we are likely going to be stuck with for some time and I'm near to
> 100% that multiplexing the labels onto a single field is going to be a
> disaster.
If the requirement is that subj= be searchable I don't see much of
an alternative to a Hideous format. If we can get past that, and say
that all subj_* have to be searchable we can avoid that set of issues.
Instead of:
s = strstr(source, "subj=")
search_after_subj(s, ...);
we have
s = source
for (i = 0; i < lsm_slots ; i++) {
s = strstr(s, "subj_")
if (!s)
break;
s = search_after_subj_(s, lsm_slot_name[i], ...)
}
There's enough ugly to go around either way.
And I'm not partial to either approach, but do would very
much like to get the code done so I can get on to the next
set of amazing challenges.
Oh, and I don't want to pick on subj= as obj= has the exact same issues.
More information about the Linux-security-module-archive
mailing list