James Morris wrote:
On Mon, 25 Aug 2008, KaiGai Kohei wrote:@@ -5228,11 +5232,14 @@ static int selinux_setprocattr(struct task_struct *p, do_each_thread(g, t) { if (t->mm == mm && t != p) { read_unlock(&tasklist_lock); + if (!security_bounded_transition(tsec->sid, sid)) + goto boundary_ok; return -EPERM;Propagate the return value of security_bounded_transition().
OK, I'll fix it on the next.
Also, if the user/role bounds are not being used, should they be included in this? From the kernel point of view, unused code should never be added.
Existing named based hierarchy on users/roles are implemented using bounds feature. If a user "staff_u.foo" is defined, the toolchain implicitly defines bounds relationship with "staff_u", for example. I don't provide an explicit way to define bounds (like TYPEBOUNDS) between users/roles, but we can define it with existing grammar. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
