On 12/11/2015 10:37 AM, Daniel Cashman wrote: > Hello, > > I would like to write a patch that would expose, via selinuxfs, the > mapping between secids in the kernel and security contexts to > user-space, but before doing so wanted to get some feedback as to > whether or not such an endeavor could have any support upstream.
Please abandon this. > The > direct motivation for this is the desire to communicate calling security > ids/contexts over binder IPC on android for use in a user-space object > manager. Passing the security ids themselves would be simpler and more > efficient in the critical kernel path, but they currently have no > user-space meaning. The security module infrastructure makes no guarantees about secids. A security module is not required to maintain a persistent relationship between the secid and a particular secctx. SELinux does maintain a persistent relationship, but I don't believe that there is any desire to commit to everything associated with exposing that. Binder ought to have access to more than the secid of the processes and objects involved. Look into the possibilities there before you take this approach. > > Thank You, > Dan > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
