mode 100644 Documentation/netlabel/draft_ietf.rst
> create mode 100644 Documentation/netlabel/index.rst
> rename Documentation/netlabel/{introduction.txt => introduction.rst} (91%)
> rename Documentation/netlabel/{lsm_interface.txt => lsm_interface.rst} (88%)
I'm fairly c
(52%)
> delete mode 100644 Documentation/security/SELinux-sctp.rst
[NOTE: adding the SELinux list to the CC line]
Looks good to me, thanks for the fixes/cleanup.
Are you planning this to go via the doc tree, or would you like me to
grab it for the SELinux tree? Either way is fine with me.
Acked-
fines which exclusive LSM get selected.
>
> and when lsm stacking lands, that exlusive LSM goes away.
FWIW, I still believe in my earlier statements supporting explicitly
enabling LSM stacking via Kconfig.
--
paul moore
www.paul-moore.com
-{
> - unsigned long enabled;
> - if (!kstrtoul(str, 0, &enabled))
> - selinux_enabled = enabled ? 1 : 0;
> - return 1;
> -}
> -__setup("selinux=", selinux_enabled_setup);
> -#else
> -int selinux_enabled = 1;
> -#endif
> +int selinux_enabled __lsm_ro_after_init;
>
> static unsigned int selinux_checkreqprot_boot =
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
> --
> 2.17.1
>
--
paul moore
www.paul-moore.com
On Sun, May 6, 2018 at 7:36 PM, Kees Cook wrote:
> On Sun, May 6, 2018 at 2:31 PM, Paul Moore wrote:
>> On Thu, May 3, 2018 at 9:08 PM, Tyler Hicks wrote:
>>> Seccomp received improved logging controls in v4.14. Applications can opt
>>> into
>>> logging of
as added to explain, among other
> things, that event filtering is performed in seccomp_log()
Kees, are you still okay with v3? Also, are you okay with these
patches going in via the audit tree, or would you prefer to take them
via seccomp? I've got a slight preference for the au
On Thu, May 3, 2018 at 4:42 PM, Steve Grubb wrote:
> On Thursday, May 3, 2018 4:18:26 PM EDT Paul Moore wrote:
>> On Wed, May 2, 2018 at 2:18 PM, Steve Grubb wrote:
>> > On Wednesday, May 2, 2018 11:53:19 AM EDT Tyler Hicks wrote:
>> >> The decision to log a seccomp
tions_logged sysctl.
>
> ACK for the format of the records.
I just wanted to clarify the record format with you Steve ... the
"actions" and "old-actions" fields may not be included in the record
in cases where there is an error building the action value string, are
you okay with that or would you prefer the fields to always be
included but with a "?" for the value?
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
view of course).
> ... One minor nit on
> seccomp_log() above, I'd probably change this to show the "exception"
> case as "out of line" of normal code flow. i.e. instead of "if (log)
> audit_seccomp", invert it to return early:
>
> ...
> if (!log)
On Tue, May 1, 2018 at 12:41 PM, Steve Grubb wrote:
> On Tuesday, May 1, 2018 11:18:55 AM EDT Paul Moore wrote:
>> On Fri, Apr 27, 2018 at 3:16 PM, Tyler Hicks wrote:
>> > The decision to log a seccomp action will always be subject to the
>> > value of the kernel.se
G_LOG bit was set. The admin has the ability to silence
> +* any action from being logged by removing the action name from the
> +* seccomp_actions_logged sysctl.
> */
> if (log)
> - return __audit_seccomp(syscall, signr, action);
> -
&
ng(ab, get_task_comm(comm, current));
> + audit_log_d_path_exe(ab, current->mm);
> + audit_log_format(ab, " op=seccomp-logging");
> + if (names)
> + audit_log_format(ab, " actions=\"%s\"", names);
> +
> + audit_log_f
g anything that would
cause any backwards compatibility issues for libseccomp. You could
try running the libseccomp tests against a patched kernel to make
sure; the README has all the info you need (pay special attention to
the "live" tests, although those are pretty meager at the moment).
--
p
On Sat, May 13, 2017 at 7:51 AM, Kees Cook wrote:
> Adjusts for ReST markup and moves under LSM admin guide.
>
> Cc: Paul Moore
> Signed-off-by: Kees Cook
> ---
> .../SELinux.txt => admin-guide/LSM/SELinux.rst}| 18
> --
> Documentatio
14 matches
Mail list logo
