Quoting David Howells (dhowells@xxxxxxxxxx):
> Serge E. Hallyn <serue@xxxxxxxxxx> wrote:
>
> > +/* move this code into kernel/cred.c and do proper perms checking of course */
> > +struct cred *restore_read_cred(struct ckpt_ctx *ctx)
> > +{
>
> This function needs to fix up cred->security.
Yup -it's not at all clear to me yet how to go about that, so I'll
need to have a discussion on the LSM list about whether a pair
of new security_ops hook is called for. One to authorize restart,
based on the current domain and the type of the mm->exe_file being
executed (and maybe the type of the checkpoint image file), and
one to calculate the new domain to enter at the end of restart.
Or did you mean something else by 'fix up' cred->security?
thanks,
-serge
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
