Re: [RFC] [Stacking v4 2/3] New version of SELinux patch to support stacking

From: Chris Wright (chrisw@private)
Date: Fri Dec 17 2004 - 14:28:53 PST


* Serge Hallyn (serue@private) wrote:
> Oh, so it does.  Sorry.
> 
> The attached patch moves the helper to security.c:__vm_enough_memory(),
> and switches dummy_vm_enough_memory to use it as well.  cap_ and dummy_
> use their own capable() functions for CAP_SYS_ADMIN.
> 
> I hope I've got the logic right this time.  Behavior seems the same as
> under FC3 stock kernel, but honestly neither does what I'd expect.  (I
> plan to look into why next week  :)

Make sure it's the right overcommit mode (cat /proc/sys/vm/overcommit_memory).
If it's 0  -- OVERCOMMIT_GUESS (typically the default), then you'll hit the
capability logic, and shouldn't be able to get at that last 3% w/out cap bit.
Seems to work as expected to me.  Allocations maxed out at 1080M as user,
and 1114M as root.  34/1114 ~ %3.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net



This archive was generated by hypermail 2.1.3 : Fri Dec 17 2004 - 14:29:22 PST