Quoting Oren Laadan (orenl@xxxxxxxxxxx): > > > Serge E. Hallyn wrote: > > Quoting Oren Laadan (orenl@xxxxxxxxxxx): > >> > >> Serge E. Hallyn wrote: > >>> (wasn't versioning the patchsets before, so randomly pick 4 as > >>> the version for this patchset...) > >>> > >>> Documentation/checkpoint/readme.txt begins: > >>> """ > >>> Application checkpoint/restart is the ability to save the state > >>> of a running application so that it can later resume its execution > >>> from the time at which it was checkpointed. > >>> """ > >>> > > [...] > > >>> + memset(ctx->lsm_name, 0, SECURITY_NAME_MAX + 1); > >>> + strlcpy(ctx->lsm_name, security_get_lsm_name(), SECURITY_NAME_MAX + 1); > >>> + ret = ckpt_write_buffer(ctx, ctx->lsm_name, SECURITY_NAME_MAX + 1); > >>> + if (ret < 0) > >>> + return ret; > >>> + > >>> + ret = security_checkpoint_header(ctx); > >>> + if (ret < 0) > >>> + return ret; > >>> + > >> This is actually a case for a 'container-global' section that would > >> appear after the header and before the rest of the image. (Would be > >> useful also for network namespaces). > > > > But LSM's are specifically not containerized, so this is a host > > property, not a container one. > > Hmmm... does that mean you can't apply one policy to one container > and another policy to another ? Yup. > Anyway, it belongs to a 'global' section, that may have 2 parts: > host and container. (Putting it between header and arch-header > seems weird...) Ok, then I'll add that in the next set. > The header doesn't hold state, it is a declarative section about > the properties of the original host (kernel and HW). Ok, I see. thanks, -serge -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
