[PATCH] socket.7,unix.7: add initial description for SO_PEERSEC

Simon McVittie smcv at collabora.com
Fri Sep 11 09:23:20 UTC 2020


On Thu, 10 Sep 2020 at 17:00:59 -0400, Stephen Smalley wrote:
> +For SELinux, the security context string is a null-terminated
> +string and the returned length includes the terminating null.
> +Other security modules may differ.

We discussed this interface a while ago when I was setting up dbus to
use SO_PEERSEC. It would be really useful if the man page documented
what callers can and can't expect from an unknown LSM, so that the
author of the next D-Bus-equivalent doesn't have to turn up on the
linux-security-module list and annoy maintainers like I did.

Perhaps something like this?

    The security context string may include a terminating null character
    in the returned length, but is not guaranteed to do so:
    a security context "foo" might be represented as either {'f','o','o'}
    of length 3 or {'f','o','o','\0'} of length 4, which are considered
    to be interchangeable. It is printable, does not contain non-terminating
    null characters, and is in an unspecified encoding (in particular it is
    not guaranteed to be ASCII or UTF-8).

Thanks,
    smcv



More information about the Linux-security-module-archive mailing list