Re: [RFC] [Stacking v4 2/3] New version of SELinux patch to support stacking

From: Chris Wright (chrisw@private)
Date: Fri Dec 17 2004 - 12:29:40 PST


* Stephen Smalley (sds@private) wrote:
> On Fri, 2004-12-17 at 16:00, Serge Hallyn wrote:
> > Is that the behavior we want to preserve?  Or do we want to go ahead and
> > use capable(CAP_SYS_ADMIN) in the dummy version?
> 
> IMHO, having vm_enough_memory trigger setting of the PF_SUPERPRIV flag
> is a mistake.  dummy and capability should only be calling their own
> private capable functions, not the top-level one.

Why do you consider it a mistake?  It marks that you used a capability to
be able to grab that last bit of reserved memory?  Seems valid enough.
I can see it as troubling in the case where it's just used to mark a
flag on function call which may not be used.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net



This archive was generated by hypermail 2.1.3 : Fri Dec 17 2004 - 12:29:54 PST