Re: [PATCH] selinux: measure state and policy capabilities
From: Paul Moore
Date: Wed Jan 27 2021 - 22:34:39 EST
On Sun, Jan 24, 2021 at 12:04 PM Lakshmi Ramasubramanian
<nramas@xxxxxxxxxxxxxxxxxxx> wrote:
> On 1/22/21 1:21 PM, Paul Moore wrote:
...
> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >> index 644b17ec9e63..879a0d90615d 100644
> >> --- a/security/selinux/hooks.c
> >> +++ b/security/selinux/hooks.c
> >> @@ -7407,6 +7408,10 @@ int selinux_disable(struct selinux_state *state)
> >>
> >> selinux_mark_disabled(state);
> >>
> >> + mutex_lock(&state->policy_mutex);
> >> + selinux_ima_measure_state(state);
> >> + mutex_unlock(&state->policy_mutex);
> >
> > I'm not sure if this affects your decision to include this action in
> > the measurements, but this function is hopefully going away in the not
> > too distant future as we do away with support for disabling SELinux at
> > runtime.
> >
> > FWIW, I'm not sure it's overly useful anyway; you only get here if you
> > never had any SELinux policy/state configured and you decide to
> > disable SELinux instead of loading a policy. However, I've got no
> > objection to this code.
>
> If support for disabling SELinux at runtime will be removed, then I
> don't see a reason to trigger a measurement here. I'll remove this
> measurement.
It's currently marked as deprecated, see
Documentation/ABI/obsolete/sysfs-selinux-disable.
--
paul moore
www.paul-moore.com