On Wed, 2004-12-08 at 14:22, Stephen Smalley wrote: > This is actually not quite right - even with your patch, we can't re-use > cap_inode_setxattr or cap_inode_removexattr. So the tradeoff is between > being able to re-use cap_vm_enough_memory vs. being able to re-use > cap_ptrace and cap_bprm_apply_creds. > > Speaking of cap_vm_enough_memory, looks like I need to re-sync > selinux_vm_enough_memory with it. Hmm...maintaining selinux_vm_enough_memory() is a bit of a pain, as we just want the same logic as cap_vm_enough_memory() except for distinguishing the capable() call so that we don't audit CAP_SYS_ADMIN attempts on every process for no reason. I had originally only suggested replacing the capable() call with a hook call and leaving the rest of vm_enough_memory in the core kernel, but Alan Cox had suggested moving the entire logic into a security hook so that security modules could in the future implement role-based policies on memory allocation (see http://marc.theaimsgroup.com/?l=linux-security-module&m=105638662108785&w=2). That still seems like a good idea, but it would be nice if we could leverage cap_vm_enough_memory or a common helper to reduce the code duplication between it and selinux_vm_enough_memory. -- Stephen Smalley <sds@private> National Security Agency
This archive was generated by hypermail 2.1.3 : Wed Dec 08 2004 - 12:07:01 PST