Re: sys_setpriority error

• Previous message: Casey Schaufler: "Re: sys_setpriority error"
• In reply to: Jesse Pollard: "Re: sys_setpriority error"
• Reply: David Wagner: "Re: sys_setpriority error"
• Reply: Chris Wright: "Re: sys_setpriority error"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

How about this:

no_nice = security_ops->task_ops->setnice(p, niceval);
if (p->uid != current->euid &&
        p->uid != current->uid && no_nice) {

can become

no_nice = security_ops->task_ops->setnice(p, niceval);
if (no_nice) {

And put all of the access control logic into the dummy functions.  Thus
the LSM can then either be more or less restrictive, but the default will
be just the same as the base kernel version.

Extending this means that we move all of the places that the old capable()
checks were into the dummies, and all the other hooks can still just
return 0, or do a euid/uid check.  Then those of us that want the LSM to
be more restrictive than the default can do that, those that want the
capabilities style of being more permissive than the default can do that,
and overall we have more functionality.

-Titus



_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Chris Lundberg: "Re: sys_setpriority error"
• Previous message: Casey Schaufler: "Re: sys_setpriority error"
• In reply to: Jesse Pollard: "Re: sys_setpriority error"
• Reply: David Wagner: "Re: sys_setpriority error"
• Reply: Chris Wright: "Re: sys_setpriority error"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 31 2001 - 09:18:34 PDT