On Tue, Dec 15, 2015 at 3:58 PM, Daniel Cashman wrote:
> On 12/15/2015 07:00 AM, Stephen Smalley wrote:
>> 1. I don't think it is the size of the context that is the concern but
>> rather the fact that it is a variable-length string, whereas current
>> binder commands use
On Tue, Dec 15, 2015 at 2:09 PM, Joe Nall wrote:
>> On Dec 15, 2015, at 12:03 PM, Stephen Smalley wrote:
>> Are you patching the kernel to support > 4K contexts?
>> Otherwise, I'd expect you run up against the proc and selinuxfs API
>> limitations (page size)
On 12/15/2015 11:06 AM, Casey Schaufler wrote:
On 12/15/2015 7:00 AM, Stephen Smalley wrote:
On 12/14/2015 05:57 PM, Roberts, William C wrote:
If I understand correctly, the goal here is to avoid the lookup from
pid to context. If we somehow Had the context or a token to a context
during
On 12/15/2015 12:19 PM, Joe Nall wrote:
On Dec 15, 2015, at 10:06 AM, Casey Schaufler wrote:
...
I have long wondered why SELinux generates the context string
of the secid more than once. Audit performance alone would
justify keeping it around. The variable length
> On Dec 15, 2015, at 10:06 AM, Casey Schaufler wrote:
>
> ...
> I have long wondered why SELinux generates the context string
> of the secid more than once. Audit performance alone would
> justify keeping it around. The variable length issue isn't
> so difficult as you
On 12/15/2015 8:55 AM, Stephen Smalley wrote:
> On 12/15/2015 11:06 AM, Casey Schaufler wrote:
>> On 12/15/2015 7:00 AM, Stephen Smalley wrote:
>>> On 12/14/2015 05:57 PM, Roberts, William C wrote:
>>
>> If I understand correctly, the goal here is to avoid the lookup from
>> pid
> On Dec 15, 2015, at 12:03 PM, Stephen Smalley wrote:
>
> On 12/15/2015 12:19 PM, Joe Nall wrote:
>>
>>> On Dec 15, 2015, at 10:06 AM, Casey Schaufler
>>> wrote:
>>>
>>> ...
>>> I have long wondered why SELinux generates the context string
>>> of
On 12/15/2015 07:00 AM, Stephen Smalley wrote:
> On 12/14/2015 05:57 PM, Roberts, William C wrote:
>>
If I understand correctly, the goal here is to avoid the lookup from
pid to context. If we somehow Had the context or a token to a context
during the ipc transaction to
On 12/14/2015 05:57 PM, Roberts, William C wrote:
If I understand correctly, the goal here is to avoid the lookup from
pid to context. If we somehow Had the context or a token to a context
during the ipc transaction to userspace, we could just use that In
computing the access decision. If
On 12/14/2015 12:03 PM, Mike Palmiotto wrote:
On Sun, Dec 13, 2015 at 5:06 PM, Paul Moore wrote:
On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
Perhaps we could provide a new fixed-size tokenized version of the
security context string for export to
On Sun, Dec 13, 2015 at 5:06 PM, Paul Moore wrote:
> On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
>> Perhaps we could provide a new fixed-size tokenized version of the
>> security context string for export to userspace that could be embedded
>> in the
On 12/14/2015 9:03 AM, Mike Palmiotto wrote:
> On Sun, Dec 13, 2015 at 5:06 PM, Paul Moore wrote:
>> On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
>>> Perhaps we could provide a new fixed-size tokenized version of the
>>> security context string for export
> Subject: Re: Exposing secid to secctx mapping to user-space
>
> On 12/13/2015 2:06 PM, Paul Moore wrote:
> > On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
> >> Perhaps we could provide a new fixed-size tokenized version of the
> >> s
> >
> > If I understand correctly, the goal here is to avoid the lookup from
> > pid to context. If we somehow Had the context or a token to a context
> > during the ipc transaction to userspace, we could just use that In
> > computing the access decision. If that is correct, then since we have
>
On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
> Perhaps we could provide a new fixed-size tokenized version of the
> security context string for export to userspace that could be embedded
> in the binder transaction structure? This could avoid both the
> limitations of the
On 12/11/2015 02:55 PM, Paul Moore wrote:
On Fri, Dec 11, 2015 at 1:37 PM, Daniel Cashman wrote:
Hello,
I would like to write a patch that would expose, via selinuxfs, the
mapping between secids in the kernel and security contexts to
user-space, but before doing so
On 12/11/2015 2:14 PM, Stephen Smalley wrote:
> On 12/11/2015 02:55 PM, Paul Moore wrote:
>> On Fri, Dec 11, 2015 at 1:37 PM, Daniel Cashman wrote:
>>> Hello,
>>>
>>> I would like to write a patch that would expose, via selinuxfs, the
>>> mapping between secids in the kernel
On Fri, Dec 11, 2015 at 1:37 PM, Daniel Cashman wrote:
> Hello,
>
> I would like to write a patch that would expose, via selinuxfs, the
> mapping between secids in the kernel and security contexts to
> user-space, but before doing so wanted to get some feedback as to
>
On 12/11/2015 10:37 AM, Daniel Cashman wrote:
> Hello,
>
> I would like to write a patch that would expose, via selinuxfs, the
> mapping between secids in the kernel and security contexts to
> user-space, but before doing so wanted to get some feedback as to
> whether or not such an endeavor could
.gov; Stephen Smalley <s...@tycho.nsa.gov>; Eric Paris
> <epa...@parisplace.org>; James Morris <james.l.mor...@oracle.com>;
> se...@hallyn.com; linux-security-module@vger.kernel.org; je...@google.com;
> n...@google.com; a...@google.com
> Subject: Re: Exposing secid to
20 matches
Mail list logo