Quoting David Howells (dhowells@xxxxxxxxxx): > Serge E. Hallyn <serue@xxxxxxxxxx> wrote: > > > Or did you mean something else by 'fix up' cred->security? > > cred->security is inherited from the current process by virtue of calling > prepare_creds() - as such, it is almost certainly going to be wrong. Can you > just ask the LSM for a set of textual security labels when saving, and then > set those back when restoring? That would be too easy a way for users (even privileged root users but constrained by selinux) to bypass selinux restrictions. All they'd have to do is checkpoint their shell, and rewrite the ->security field in the checkpoint image with 'shadow_t', to get a shell that can write to the shadow file, for instance. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
