Re: [RFC] [Stacking v4 2/3] New version of SELinux patch to support stacking

From: Stephen Smalley (sds@private)
Date: Fri Dec 10 2004 - 05:29:26 PST

On Thu, 2004-12-09 at 20:45, Serge Hallyn wrote:
> Would the attached patch be sufficient, or should the force_sig_specific
> and avc_audit also be moved to the final_setup()?  It doesn't look to me
> like doing them under task_lock is a problem, and it did test fine, but
> I don't think I actually triggered the test conditions.  (How do I get
> selinux to try an unlawful transition?)

force_sig_specific should definitely go into the second hook after
release of task_lock, as you will otherwise nest task_lock inside
siglock.  avc_audit used to have an issue with being called under
task_lock due to use of get_task_mm but I resolved that by only using
get_task_mm when acting on a task other than current (as we can safely
access current->mm without using get_task_mm), so I believe that you can
actually collapse the avc_has_perm_noaudit()+avc_audit() calls into
avc_has_perm() calls (which internally do both; the split interface is
only for situations where we cannot safely do both under the same
locking conditions or where we do not want to audit at all).
Stephen Smalley <sds@private>
National Security Agency

This archive was generated by hypermail 2.1.3 : Fri Dec 10 2004 - 05:35:04 PST