James Morris wrote:
On Mon, 25 Aug 2008, KaiGai Kohei wrote:
@@ -5228,11 +5232,14 @@ static int selinux_setprocattr(struct task_struct *p,
do_each_thread(g, t) {
if (t->mm == mm && t != p) {
read_unlock(&tasklist_lock);
+ if (!security_bounded_transition(tsec->sid, sid))
+ goto boundary_ok;
return -EPERM;
Propagate the return value of security_bounded_transition().
OK, I'll fix it on the next.
Also, if the user/role bounds are not being used, should they be included
in this? From the kernel point of view, unused code should never be
added.
Existing named based hierarchy on users/roles are implemented using bounds
feature. If a user "staff_u.foo" is defined, the toolchain implicitly defines
bounds relationship with "staff_u", for example.
I don't provide an explicit way to define bounds (like TYPEBOUNDS) between
users/roles, but we can define it with existing grammar.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.