Re: [RFC] [Stacking v4 2/3] New version of SELinux patch to support stacking

From: Stephen Smalley (sds@private)
Date: Wed Dec 08 2004 - 12:01:32 PST

On Wed, 2004-12-08 at 14:22, Stephen Smalley wrote:
> This is actually not quite right - even with your patch, we can't re-use
> cap_inode_setxattr or cap_inode_removexattr.  So the tradeoff is between
> being able to re-use cap_vm_enough_memory vs. being able to re-use
> cap_ptrace and cap_bprm_apply_creds.
> Speaking of cap_vm_enough_memory, looks like I need to re-sync
> selinux_vm_enough_memory with it.

Hmm...maintaining selinux_vm_enough_memory() is a bit of a pain, as we
just want the same logic as cap_vm_enough_memory() except for
distinguishing the capable() call so that we don't audit CAP_SYS_ADMIN
attempts on every process for no reason.  I had originally only
suggested replacing the capable() call with a hook call and leaving the
rest of vm_enough_memory in the core kernel, but Alan Cox had suggested
moving the entire logic into a security hook so that security modules
could in the future implement role-based policies on memory allocation
That still seems like a good idea, but it would be nice if we could
leverage cap_vm_enough_memory or a common helper to reduce the code
duplication between it and selinux_vm_enough_memory.

Stephen Smalley <sds@private>
National Security Agency

This archive was generated by hypermail 2.1.3 : Wed Dec 08 2004 - 12:07:01 PST