Stephen Smalley <[email protected]> wrote:
> That sounds workable, although I think he will want a more specific hook
> than security_secctx_to_secid(), or possibly a second hook call, that
> would not only validate the context but authorize the use of it by the
> cachefilesd process. And then the security_task_kernel_act_as() hook
> just takes the secid as input rather than the task struct of the daemon,
> and applies it. At that point, nfsd can use the same mechanism for
> setting the acting SID based on the client process after doing its own
> authorization.
I thought using secids was verboten as it made things too specific.
Have you example code for the security hook you mention? I'm not sure I
understand why security_secctx_to_secid() is not sufficient.
Or is it that I need something that takes a secctx, converts it to a secid and
authorises its use all in one go? If it's this, why can't that be rolles into
security_task_kernel_act_as()? That sets up a task_security struct which is
then switched in and out without consultation of the LSM.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]