[PATCH] selinux: Fix use of KEY_NEED_* instead of KEY__* perms [v2]

Stephen Smalley stephen.smalley.work at gmail.com
Tue Apr 28 16:19:02 UTC 2020

On Tue, Apr 28, 2020 at 11:58 AM David Howells <dhowells at redhat.com> wrote:
> Stephen Smalley <stephen.smalley.work at gmail.com> wrote:
> > 1) Are we guaranteed that the caller only ever passes a single
> > KEY_NEED_* perm at a time (i.e. hook is never called with a bitmask
> > of multiple permissions)?  Where is that guarantee enforced?
> Currently it's the case that only one perm is ever used at once.  I'm tempted
> to enforce this by switching the KEY_NEED_* to an enum rather than a bitmask.
> I'm not sure how I would actually define the meaning of two perms being OR'd
> together.  Either okay?  Both required?

Both required is the usual convention in functions like
inode_permission() or avc_has_perm().
But if you know that you'll never use combinations, we should just
prohibit it up front, e.g.
key_task_permission() or whatever can reject them before they reach
the hook call.  Then the
hook code doesn't have to revisit the issue.

> > 2) We had talked about adding a BUILD_BUG_ON() or other build-time
> > guard
> That doesn't help you trap unallowed perm combinations, though.

I think we want both.

> > to ensure that new KEY_NEED_* permissions
> > are not added without updating SELinux.  We already have similar
> > constructs for catching new capabilities (#if CAP_LAST_CAP > 63 #error
> > ...), socket address families (#if PF_MAX > 45 #error ...),  RTM_* and
> > XFRM_MSG* values.
> David

More information about the Linux-security-module-archive mailing list