Re: stacker and vm_enough_memory

From: serue@private
Date: Tue Jun 28 2005 - 19:44:15 PDT


Quoting Tony Jones (tonyj@private):
> Hi Serge,
> 
> I have a question about stacker_vm_enough_memory.
> 
> I note that SELinux doesn't implement the vm_enough_memory hook right now, so
> fixup_ops gives them dummy_vm_enough_memory.  Same for our module currently
> in an unstacked setup.
> 
> For stacker, if no module is registered, stacker_vm_enough_memory calls
> capable() rather than dummy_capable()  [but the problem would be the same
> if capability was the first module in the list (or any module who's
> vm_enough_memory hook called capable().]
> 
> The issue is that if any module in the chain tries to do any auditing based
> on rejecting capable() things get quite noisy.

Another good catch.  Stacker should not be using capable, but IMO that
is because it should not be setting PF_SUPERPRIV if the request was
granted.  So I believe stacker should loop through each stacked
module's capable() function for an answer.

But that would still call your module's capable().  I take it that is
not sufficient?  What would you suggest?  Always using
default_module->capable()?

> I would imaging selinux auditing, if enabled, would see a similar problem.

> Places in the kernel which modify a request rather than rejecting it based on 
> the result of capable() seem few at present.

I'm not sure what you mean by this.

thanks,
-serge



This archive was generated by hypermail 2.1.3 : Tue Jun 28 2005 - 19:38:51 PDT