On Fri, 2004-12-10 at 12:18 -0500, Stephen Smalley wrote: > On Fri, 2004-12-10 at 13:21, Serge Hallyn wrote: > > A new patch taking in Stephen's comments is attached. This patch > > defines the bprm_final_setup LSM hook, which is called after apply_creds > > but with task_lock dropped. > > You can collapse the avc_has_perm_noaudit()+avc_audit() call into a > avc_has_perm() call for the share check as well, eliminating the need > for avd at all. You don't need bsec or sid for bprm_final_setup, it > only deals with tsec. Thanks, will do. > Caveat: Patches already queued up in -mm eliminate the AVC entry > references entirely due to RCU, so your patch will have to be updated > when you re-base. Yeah, obviously I have to expect that to happen, but I'd like to get at least the base-patches (fix-capset-check.patch, remove_mod_unreg_security.patch, and split_bprm_apply_creds.patch) to lkml as soon as possible to minimize the number of patches I'll have to keep up-to-date. thanks, -serge -- Serge Hallyn <serue@private>
This archive was generated by hypermail 2.1.3 : Fri Dec 10 2004 - 09:41:17 PST