Re: [PATCH RFC 6/15] LSM: Exclusive secmark usage

Next message: Paul Moore: "Re: [PATCH RFC 7/15] Audit: Call only the first of the audit rule hooks"
Previous message: Paul Moore: "Re: [PATCH RFC 5/15] LSM: Single calls in secid hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paul Moore

Date: Tue Oct 14 2025 - 19:12:52 EST

On Jun 21, 2025 Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>
> The network secmark can only be used by one security module
> at a time. Establish mechanism to identify to security modules
> whether they have access to the secmark. SELinux already
> incorparates mechanism, but it has to be added to Smack and
> AppArmor.
>
> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> ---
> include/linux/lsm_hooks.h | 1 +
> security/apparmor/include/net.h | 5 +++++
> security/apparmor/lsm.c | 7 ++++---
> security/lsm_init.c | 6 ++++++
> security/selinux/hooks.c | 4 +++-
> security/smack/smack.h | 5 +++++
> security/smack/smack_lsm.c | 3 ++-
> security/smack/smack_netfilter.c | 10 ++++++++--
> 8 files changed, 34 insertions(+), 7 deletions(-)

We discussed this patch in a separate patchset, lore link below.

https://lore.kernel.org/linux-security-module/20251001215643.31465-1-casey@xxxxxxxxxxxxxxxx/

--
paul-moore.com