Re: [patch 2/3] lsm: add bsdjail module

From: Stephen Smalley
Date: Wed Oct 13 2004 - 10:32:40 EST

Next message: Peter W. Morreale: "Re: waiting on a condition"
Previous message: Alan Cox: "PATCH: IDE generic tweak"
In reply to: Serge E. Hallyn: "Re: [patch 2/3] lsm: add bsdjail module"
Next in thread: Chris Wright: "Re: [patch 2/3] lsm: add bsdjail module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2004-10-12 at 21:22, Serge E. Hallyn wrote:
> Then they would have to check for an optional "selinux: " at the front
> of each security_setprocattr entry read in the kernel, in order to handle
> an lsm infrastructure change which might never be accepted into the kernel
> anyway. I suppose it's pretty trivial anyway, but then why would they
> bother...

The changes to libselinux and procps and any scripts that directly
access /proc/pid/attr to deal with multi-entry values would be more
important; changing the kernel to prepend "selinux: " on getprocattr and
to strip it on setprocattr would indeed be trivial (but one wonders
whether we can be confident that userspace will never try to pass one of
these multi-entry values read from /proc/pid/attr to another interface
that expects a single context, e.g. selinuxfs or
setxattr("security.selinux")).

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter W. Morreale: "Re: waiting on a condition"
Previous message: Alan Cox: "PATCH: IDE generic tweak"
In reply to: Serge E. Hallyn: "Re: [patch 2/3] lsm: add bsdjail module"
Next in thread: Chris Wright: "Re: [patch 2/3] lsm: add bsdjail module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]