* Serge Hallyn (serue@private) wrote: > The attached patch is virtually the same as Chris', compiled and > "tested". A quick while (1) malloc(100000000) test seemed to give the > desired result. Is that an appopriate test? Depends on the overcommit settings. The toplevel is an early out on overcommit == 0, so it's possible you didn't fully test it. BTW, I think it's broken. + sysadm = secondary_ops->capable(current, CAP_SYS_ADMIN); + if (!sysadm) + sysadm = avc_has_perm_noaudit(tsec->sid, tsec->sid, + SECCLASS_CAPABILITY, + CAP_TO_MASK(CAP_SYS_ADMIN), + NULL); + return __cap_vm_enough_memory(pages, sysadm); the value for sysadm should behave like a boolean. However, it's currently used backwards. 0 == TRUE, -EPERM == FALSE, map that to boolean, and.... thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
This archive was generated by hypermail 2.1.3 : Thu Dec 16 2004 - 14:06:18 PST