[RFC PATCH v2 5/5] selinux: introduce kdbus access controls
Paul Moore
pmoore at redhat.com
Tue Oct 6 22:20:51 UTC 2015
On Tuesday, October 06, 2015 08:55:33 PM Nicolas Iooss wrote:
> On 10/05/2015 10:41 PM, Paul Moore wrote:
> > Add the SELinux access control implementation for the new kdbus LSM
>
> > hooks using the new kdbus object class and the following permissions:
> [[SNIP]]
>
> > diff --git a/security/selinux/include/classmap.h
> > b/security/selinux/include/classmap.h index eccd61b..31e4435 100644
> > --- a/security/selinux/include/classmap.h
> > +++ b/security/selinux/include/classmap.h
> > @@ -153,5 +153,9 @@ struct security_class_mapping secclass_map[] = {
> >
> > { COMMON_SOCK_PERMS, "attach_queue", NULL } },
> >
> > { "binder", { "impersonate", "call", "set_context_mgr", "transfer",
> >
> > NULL } },
> >
> > + { "kdbus", { "impersonate", "fakecreds", "fakepids", "owner",
> > + "privileged", "activator", "monitor", "policy_holder",
> > + "connect", "own", "talk", "see", "see_name",
> > + "see_notification" } },
> >
> > { NULL }
> >
> > };
>
> Hello,
> Out of curiosity, why is the new list of permissions not
> NULL-terminated?
Honest answer: I forgot :)
These patches are still "RFC quality" which means I'm emphasizing getting the
patches posted quickly (hardy har har) and not putting the code through as
much testing and scrutiny as I usually do. The idea right now is to get
feedback about the hooks and the individual LSM implementations.
Regardless, thanks for catching the missing terminator, the fix will be in the
next draft of the patches.
--
paul moore
security @ redhat
More information about the Linux-audit
mailing list