SElinux and its own error code?

Greg KH greg at kroah.com
Sun May 3 05:18:45 EDT 2020


On Sun, May 03, 2020 at 03:59:22AM -0400, Jeffrey Walton wrote:
> > Among other things, it means that programs potentially have to have
> > special-casing in the error handlers, which are *already* code that doesn't
> > get fully tested in most cases.
> 
> Why is that a bad thing?

The goal is to not break existing userspace programs.  If the kernel
started making up new error numbers for every new way it comes up with
preventing you from doing something, userspace programs would not like
that at all.

> SElinux is an addon. I have no problem checking for seerrno or ESEPERM
> for its specific errors.

And do you want to check for all of the other different security models
that Valdis listed?  What about the 10 new ones that are coming in the
next 2 years?  After that?

All that matters to your program is you were not allowed access to that
resource, it doesn't matter what type of kernel feature/option caused
that to happen.

thanks,

greg k-h



More information about the Kernelnewbies mailing list