* Stephen Smalley (sds@private) wrote: > On Mon, 2004-10-18 at 17:40, John Johansen wrote: > > The patch to setscheduler moves the locking of the runqueue, until after > > the calls to capable and security_task_setscheduler, so it fixes both of > > them. I believe this to be safe, but it really needs vetting by a > > scheduler person. > > I think that you need to hold the lock when extracting p->policy, and if > you drop the lock for the security checks, you need to recheck that > p->policy hasn't changed after you re-take the lock. Advantage of your > approach (with those fixes) is that no special handling is required by > capable(CAP_SYS_NICE) and security_task_setscheduler hook > implementations; they can audit immediately. But given that the audit > framework does support deferred auditing via audit_log_end_irq, I'm not > sure that this is going to be compelling upstream, as it makes > setscheduler() very convoluted. Yup, I agree. That's what I was referring to yesterday (policy can change comment). John, I didn't realize you had sent this to me earlier. That, as well as this email never came to my inbox (only got this one via the list). I wonder if you need to do some envelope masquerading? I imagine this looks suspect to our spam filters "Received: from ortho.site..." thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 09:21:46 PDT