On Llu, 2003-06-23 at 17:25, Stephen Smalley wrote: > This patch for 2.5.73 replaces the CAP_SYS_ADMIN test in > vm_enough_memory with a security_vm_allocate hook call so that security > modules such as SELinux can distinguish this test from other > CAP_SYS_ADMIN checks. This change is necessary since the > vm_enough_memory capability check is applied to all processes that > allocate mappings and we don't want to spuriously audit CAP_SYS_ADMIN > denials generated by this test. If anyone has any objections to this > patch, please let me know. Thanks. Is there any reason for not wrapping the entire vm_enough_memory() function and using the current one as default. In some environments being able to make total commit constraints based on roles may actually be useful. (Think "sum of students memory < 40% of system" 8)) vm_enough_memory has to be kernel side but its basically policy so pluggable IMHO is good. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jun 23 2003 - 09:43:19 PDT