Re: [PATCH v2 1/2] security: Add hook to invalidate inode security labels

On 10/4/2015 12:19 PM, Andreas Gruenbacher wrote: > Add a hook to invalidate an inode's security label when the cached > information becomes invalid. Where is this used? If I need to do the same for Smack or any other module, how would I know that it works right? > > Implement the new hook in

[RFC PATCH v2 1/5] kdbus: add creator credentials to the endpoints

In order to effectively enforce LSM based access controls we need to have more information about the kdbus endpoint creator than the uid/gid currently stored in the kdbus_node_type struct. This patch replaces the uid/gid values with a reference to the node creator's credential struct which serves

[RFC PATCH v2 3/5] lsm: add support for auditing kdbus service names

The kdbus service names will be recorded using 'service', similar to the existing dbus audit records. Signed-off-by: Paul Moore --- ChangeLog: - v2 * Initial draft --- include/linux/lsm_audit.h |2 ++ security/lsm_audit.c |4 2 files changed, 6

[RFC PATCH v2 2/5] lsm: introduce hooks for kdbus

Add LSM access control hooks to kdbus; several new hooks are added and the existing security_file_receive() hook is reused. The new hooks are listed below: * security_kdbus_conn_new Check if the current task is allowed to create a new kdbus connection. * security_kdbus_own_name Check

[RFC PATCH v2 5/5] selinux: introduce kdbus access controls

Add the SELinux access control implementation for the new kdbus LSM hooks using the new kdbus object class and the following permissions: [NOTE: permissions below are based on kdbus code from Aug 2015] * kdbus:impersonate Send a different security label to kdbus peers. * kdbus:fakecreds

[PATCH] security: selinux: Use a kmem_cache for allocation struct file_security_struct

The size of struct file_security_struct is 16byte at my setup. But, the real allocation size for per each file_security_struct is 64bytes in my setup that kmalloc min size is 64bytes because ARCH_DMA_MINALIGN is 64. This allocation is called every times at file allocation(alloc_file()). So, the

Re: MAP_STACK and execstack

On 10/02/2015 04:44 PM, Nick Kralevich wrote: Currently, SELinux implements the "execstack" capability using the following code: security/selinux/hooks.c function: selinux_file_mprotect() } else if (!vma->vm_file && vma->vm_start <= vma->vm_mm->start_stack &&