Re: [PATCH v2] selinux: add support for xperms in conditional policies

From: Paul Moore
Date: Mon Dec 02 2024 - 22:27:19 EST

Next message: Abhinav Kumar: "Re: [PATCH 07/10] drm/msm/dp: use eld_mutex to protect access to connector->eld"
Previous message: Jakub Kicinski: "Re: [PATCH] USBNET: Fix ASIX USB Ethernet carrier problems."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Nov 28, 2024 at 7:49 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
> On Thu, 31 Oct 2024 at 23:20, Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> > On Wed, Oct 23, 2024 at 11:27 AM Christian Göttsche
> > <cgoettsche@xxxxxxxxxxxxx> wrote:
> > >
> > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > >
> > > Add support for extended permission rules in conditional policies.
> > > Currently the kernel accepts such rules already, but evaluating a
> > > security decision will hit a BUG() in
> > > services_compute_xperms_decision(). Thus reject extended permission
> > > rules in conditional policies for current policy versions.
> > >
> > > Add a new policy version for this feature.
> > >
> > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > > ---
> > > v2:
> > > rebased onto the netlink xperm patch
> > > ---
> > > security/selinux/include/security.h | 3 ++-
> > > security/selinux/ss/avtab.c | 11 +++++++++--
> > > security/selinux/ss/avtab.h | 2 +-
> > > security/selinux/ss/conditional.c | 2 +-
> > > security/selinux/ss/policydb.c | 5 +++++
> > > security/selinux/ss/services.c | 12 ++++++++----
> > > 6 files changed, 26 insertions(+), 9 deletions(-)
> >
> > This looks fine to me, but I believe there are some outstanding
> > userspace issues that need to be resolved?
>
> Hi,
>
> I know it's very late in the development cycle, but I wanted to ask if
> there is a chance this could be merged for 6.13?

I'm sorry, but it is/was too late for those changes to be merged into
the kernel. I'm sure you've seen this already, but the process is
documented in the README.md file which is linked below:

* https://github.com/SELinuxProject/selinux-kernel/blob/main/README.md

The relevant potion is copied below:

"During the development cycle that starts with the close of the kernel
merge window and ends with the tagged kernel release, patches will be
accepted into the stable-X.Y and dev branches as described in their
respective sections in this document. While patches will be accepted
into the stable-X.Y branch at any point in time, significant changes
will likely not be accepted into the dev branch when there are two or
less weeks left in the development cycle; this typically means that
only critical bugfixes are accepted once the vX.Y-rc6 kernel is
released."

> The userspace patches are merged and currently part of 3.8-rc1, and
> these kernel changes are quite simple, since most of the needed
> functionality was already in place.
> I created a testsuite patch over at
> https://github.com/SELinuxProject/selinux-testsuite/pull/98.

Thank you!

--
paul-moore.com

Next message: Abhinav Kumar: "Re: [PATCH 07/10] drm/msm/dp: use eld_mutex to protect access to connector->eld"
Previous message: Jakub Kicinski: "Re: [PATCH] USBNET: Fix ASIX USB Ethernet carrier problems."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]