Re: [PATCH v3 09/16] SELinux: Abstract use of file security blob

From: Casey Schaufler
Date: Thu Sep 20 2018 - 11:21:02 EST

Next message: Damian Kos: "[PATCH v4 2/5] drm/dp: fix link probing for devices supporting DP 1.4+"
Previous message: amanda . thompson: "IT Decision Makers Across the Globe"
In reply to: David Laight: "RE: [PATCH v3 09/16] SELinux: Abstract use of file security blob"
Next in thread: Casey Schaufler: "[PATCH v3 08/16] LSM: Infrastructure management of the cred security blob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/20/2018 1:51 AM, David Laight wrote:
> From: Casey Schaufler
>> Sent: 20 September 2018 01:21
>>
>> SELinux: Abstract use of file security blob
>>
>> Don't use the file->f_security pointer directly.
>> Provide a helper function that provides the security blob pointer.
> ...
>> +static inline struct file_security_struct *selinux_file(const struct file *file)
>> +{
>> + return file->f_security;
>> +}
>> +
> Why?

In patch 16/16 this becomes:

static inline struct file_security_struct *selinux_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + selinux_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}

You could hard code this bit everywhere it's used, but that
would be prone to error. I'm not generally an abstractionist
myself, but it these cases abstraction adds value.

Next message: Damian Kos: "[PATCH v4 2/5] drm/dp: fix link probing for devices supporting DP 1.4+"
Previous message: amanda . thompson: "IT Decision Makers Across the Globe"
In reply to: David Laight: "RE: [PATCH v3 09/16] SELinux: Abstract use of file security blob"
Next in thread: Casey Schaufler: "[PATCH v3 08/16] LSM: Infrastructure management of the cred security blob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]