[PATCH] selinux: Fix use of KEY_NEED_* instead of KEY__* perms [v2]
Stephen Smalley
stephen.smalley.work at gmail.com
Tue Apr 28 16:19:02 UTC 2020
On Tue, Apr 28, 2020 at 11:58 AM David Howells <dhowells at redhat.com> wrote:
>
> Stephen Smalley <stephen.smalley.work at gmail.com> wrote:
>
> > 1) Are we guaranteed that the caller only ever passes a single
> > KEY_NEED_* perm at a time (i.e. hook is never called with a bitmask
> > of multiple permissions)? Where is that guarantee enforced?
>
> Currently it's the case that only one perm is ever used at once. I'm tempted
> to enforce this by switching the KEY_NEED_* to an enum rather than a bitmask.
>
> I'm not sure how I would actually define the meaning of two perms being OR'd
> together. Either okay? Both required?
Both required is the usual convention in functions like
inode_permission() or avc_has_perm().
But if you know that you'll never use combinations, we should just
prohibit it up front, e.g.
key_task_permission() or whatever can reject them before they reach
the hook call. Then the
hook code doesn't have to revisit the issue.
>
> > 2) We had talked about adding a BUILD_BUG_ON() or other build-time
> > guard
>
> That doesn't help you trap unallowed perm combinations, though.
I think we want both.
>
> > to ensure that new KEY_NEED_* permissions
> > are not added without updating SELinux. We already have similar
> > constructs for catching new capabilities (#if CAP_LAST_CAP > 63 #error
> > ...), socket address families (#if PF_MAX > 45 #error ...), RTM_* and
> > XFRM_MSG* values.
>
> David
>
More information about the Linux-security-module-archive
mailing list