Problem with 9ba09998baa9 ("selinux: Implement the watch_key security hook") in linux-next
David Howells
dhowells at redhat.com
Fri Apr 24 23:43:22 UTC 2020
Paul Moore <paul at paul-moore.com> wrote:
> > > and then use this newly created mapping function in [...]
> > > selinux_watch_key()
> >
> > No, I think I should just hard-code KEY__VIEW there.
>
> FWIW, my comment was based on a version of linux-next where you were
> making policycap based permission adjustments to KEY_VIEW and I
> thought you would want the same adjustments to be applied to both
> access control points. That code appears to now be gone in
> linux-next.
I don't think I changed KEY_VIEW specifically; anyway, that code is on hold
for the moment since it collides with this.
What I was wondering is if I should change KEY_NEED_xxx from a bitmask into an
enum to remove the confusion about whether or not you're allowed to provide
multiple 'needs' OR'd together.
> > + perm = selinux_keyperm_to_av(need_perm);
>
> ... and add a check for (perm < 0) as discussed above if we stick with
> the switch statement.
Actually, there was supposed to be a:
if (!perm)
return -EPERM;
after that line.
David
More information about the Linux-security-module-archive
mailing list