On Mon, 7 Oct 2002, Seth Arnold wrote: > Stephen, please indulge my curiousities and explain what this mediates? > As I understand the process affinities, these hooks would mediate how > tightly a process is bound to a specific group of processors to help > prevent cache thrashing; I don't see a point to mediating cpu affinity > in an access control module. (Well, aside from covert timing channels, > but I thought we more or less came to an agreement that covert channels > were out of scope for a 2.6 LSM?) If you could only set or get your own CPU affinity, then it wouldn't be an issue. But since you can use these calls to set or get the CPU affinity of another process, a security module may wish to restrict such interactions based on the security attributes of the current and target processes. In the SELinux case, we make a permission check between the current and target processes based on the pair of security domains. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 11:17:19 PDT