Re: [RFC PATCH 3/5] sctp: Add LSM hooks

On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote: > On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote: > > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines > > wrote: > > > Add security hooks to allow security modules to exercise access > > > control > >

[PATCH 2/2] IMA: Support using new creds in appraisal policy

The existing BPRM_CHECK functionality in IMA validates against the credentials of the existing process, not any new credentials that the child process may transition to. Add an additional CREDS_CHECK target and refactor IMA to pass the appropriate creds structure. In ima_bprm_check(), check with

[PATCH] libselinux: android: support exact match for a property key

Performs exact match if a property key of property contexts ends with '$' instead of prefix match. This will enable to define an exact rule which can avoid unexpected context assignment. Signed-off-by: Jaekyun Seok --- libselinux/src/label_backends_android.c | 9 +++--

Re: [PATCH net-next v7 3/5] security: bpf: Add LSM hooks for bpf object related syscall

On Wed, 18 Oct 2017, Chenbo Feng wrote: > From: Chenbo Feng > > Introduce several LSM hooks for the syscalls that will allow the > userspace to access to eBPF object such as eBPF programs and eBPF maps. > The security check is aimed to enforce a per object security protection

Re: [PATCH 1/2] security: Add a cred_getsecid hook

On 10/19/2017 4:14 PM, Matthew Garrett wrote: > For IMA purposes, we want to be able to obtain the prepared secid in the > bprm structure before the credentials are committed. Add a cred_getsecid > hook that makes this possible. > > Signed-off-by: Matthew Garrett > Cc: Paul

Re: [PATCH net-next v7 4/5] selinux: bpf: Add selinux check for eBPF syscall operations

On Wed, 18 Oct 2017, Chenbo Feng wrote: > From: Chenbo Feng > > Implement the actual checks introduced to eBPF related syscalls. This > implementation use the security field inside bpf object to store a sid that > identify the bpf object. And when processes try to access the

Re: [RFC PATCH 3/5] sctp: Add LSM hooks

On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote: > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines > wrote: > > Add security hooks to allow security modules to exercise access control > > over SCTP. > > > > Signed-off-by: Richard Haines

Re: [RFC PATCH 1/5] security: Add support for SCTP security hooks

On Tue, 17 Oct 2017, Richard Haines wrote: > The SCTP security hooks are explained in: > Documentation/security/LSM-sctp.txt > > Signed-off-by: Richard Haines > --- > Documentation/security/LSM-sctp.txt | 212 > >

Re: [PATCH net-next v7 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control

Series applied.

Re: [RFC PATCH 3/5] sctp: Add LSM hooks

On Fri, Oct 20, 2017 at 8:04 PM, Richard Haines wrote: > On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote: >> On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote: >> > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines >> >

Re: [PATCH] libselinux: android: support exact match for a property key

Please hold off on submission. We're discussing if this is really necessary. On Thu, Oct 19, 2017 at 4:49 PM, Jaekyun Seok via Selinux wrote: > Performs exact match if a property key of property contexts ends with '$' > instead of prefix match. > > This will enable to

Re: [PATCH] libselinux: android: support exact match for a property key

On Fri, Oct 20, 2017 at 7:54 AM, Jeffrey Vander Stoep via Selinux wrote: > Please hold off on submission. We're discussing if this is really necessary. Yeah I'd like to hear about what issues the current longest match logic was causing in the commit message. > > On Thu,

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

On Thu, Oct 19, 2017 at 3:12 PM, Nicolas Iooss wrote: > On Thu, Oct 19, 2017 at 9:46 PM, Stephen Smalley wrote: >> On Thu, 2017-10-19 at 14:27 -0400, Stephen Smalley wrote: >>> On Thu, 2017-10-19 at 09:25 -0700, William Roberts wrote: >>> > On Thu, Oct

Re: [RFC PATCH 5/5] selinux: Add SCTP support

On Tue, 2017-10-17 at 14:59 +0100, Richard Haines wrote: > The SELinux SCTP implementation is explained in: > Documentation/security/SELinux-sctp.txt > > Signed-off-by: Richard Haines > --- >  Documentation/security/SELinux-sctp.txt | 108 + >