Problem with 9ba09998baa9 ("selinux: Implement the watch_key security hook") in linux-next

David Howells dhowells at
Fri Apr 24 23:43:22 UTC 2020

Paul Moore <paul at> wrote:

> > > and then use this newly created mapping function in [...]
> > > selinux_watch_key()
> >
> > No, I think I should just hard-code KEY__VIEW there.
> FWIW, my comment was based on a version of linux-next where you were
> making policycap based permission adjustments to KEY_VIEW and I
> thought you would want the same adjustments to be applied to both
> access control points.  That code appears to now be gone in
> linux-next.

I don't think I changed KEY_VIEW specifically; anyway, that code is on hold
for the moment since it collides with this.

What I was wondering is if I should change KEY_NEED_xxx from a bitmask into an
enum to remove the confusion about whether or not you're allowed to provide
multiple 'needs' OR'd together.

> > +       perm = selinux_keyperm_to_av(need_perm);
> ... and add a check for (perm < 0) as discussed above if we stick with
> the switch statement.

Actually, there was supposed to be a:

	if (!perm)
		return -EPERM;

after that line.


More information about the Linux-security-module-archive mailing list