Re: [RFC] [Stacking v4 2/3] New version of SELinux patch to support stacking

From: Chris Wright (chrisw@private)
Date: Thu Dec 16 2004 - 14:05:51 PST


* Serge Hallyn (serue@private) wrote:
> The attached patch is virtually the same as Chris', compiled and
> "tested".  A quick while (1) malloc(100000000) test seemed to give the
> desired result.  Is that an appopriate test?

Depends on the overcommit settings.  The toplevel is an early out
on overcommit == 0, so it's possible you didn't fully test it.  BTW,
I think it's broken.

+       sysadm = secondary_ops->capable(current, CAP_SYS_ADMIN);
+       if (!sysadm)
+	       sysadm = avc_has_perm_noaudit(tsec->sid, tsec->sid,
+				       SECCLASS_CAPABILITY,
+				       CAP_TO_MASK(CAP_SYS_ADMIN),
+				       NULL);

+	return __cap_vm_enough_memory(pages, sysadm);

the value for sysadm should behave like a boolean.  However, it's
currently used backwards.  0 == TRUE, -EPERM == FALSE, map that to
boolean, and....

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net



This archive was generated by hypermail 2.1.3 : Thu Dec 16 2004 - 14:06:18 PST