On Fri, Jan 13, 2012 at 12:13 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Fri, Jan 13, 2012 at 12:05 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: >> >> I'm confused. The patch does "no security context changes on execve". > > So that's what I wanted and thought you did, but your comment: > > "With my patch, selinux can already block the execve if it wants" > > is what I reacted to. The "selinux *can*" and the "if it wants" part > was what made my hackles rise. > > If it is not about what selinux can and what selinux wants, I'm happy. > The security manager shouldn't have any choices in the matter. No > 'can', no 'want'. > > Your choice of words made me think your patch had left that door open. Fair enough. It's unavoidable that selinux can block the exec, though -- it could prevent you from reading the file, in which case good luck execing it :) I'll respin this so that it doesn't oops if bisected with AppArmor running. Any maintainers want to pick it up? --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
