Re: [RFC] [Stacking v4 2/3] New version of SELinux patch to support stacking

From: Stephen Smalley (sds@private)
Date: Fri Dec 10 2004 - 06:28:43 PST

On Fri, 2004-12-10 at 08:29, Stephen Smalley wrote:
> avc_audit used to have an issue with being called under
> task_lock due to use of get_task_mm but I resolved that by only using
> get_task_mm when acting on a task other than current (as we can safely
> access current->mm without using get_task_mm), so I believe that you can
> actually collapse the avc_has_perm_noaudit()+avc_audit() calls into
> avc_has_perm() calls (which internally do both; the split interface is
> only for situations where we cannot safely do both under the same
> locking conditions or where we do not want to audit at all).

You can also simplify the flow in bprm_apply_creds (e.g. just return
upon ptrace failure after setting the unsafe flag, and then
unconditionally set tsec->sid if you've passed all of the safety
checks), and can also bail from bprm_final_setup after the unsafe check
(which needs to do the force_sig_specific) if tsec->osid == tsec->sid,
as the other processing is only for a transition.

Stephen Smalley <sds@private>
National Security Agency

This archive was generated by hypermail 2.1.3 : Fri Dec 10 2004 - 06:34:01 PST