Re: [patch] [sg]etaffinity hooks

From: Stephen Smalley (sdsat_private)
Date: Mon Oct 07 2002 - 11:15:54 PDT

  • Next message: Valdis.Kletnieksat_private: "Re: [patch] [sg]etaffinity hooks"

    On Mon, 7 Oct 2002, Seth Arnold wrote:
    
    > Stephen, please indulge my curiousities and explain what this mediates?
    > As I understand the process affinities, these hooks would mediate how
    > tightly a process is bound to a specific group of processors to help
    > prevent cache thrashing; I don't see a point to mediating cpu affinity
    > in an access control module. (Well, aside from covert timing channels,
    > but I thought we more or less came to an agreement that covert channels
    > were out of scope for a 2.6 LSM?)
    
    If you could only set or get your own CPU affinity, then it wouldn't be an
    issue.  But since you can use these calls to set or get the CPU affinity
    of another process, a security module may wish to restrict such
    interactions based on the security attributes of the current and target
    processes.  In the SELinux case, we make a permission check between the
    current and target processes based on the pair of security domains.
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 11:17:19 PDT