On 12/13/2012 4:06 AM, Tetsuo Handa wrote: > Casey Schaufler wrote: >> You're suggesting that we don't change the kernel until the >> applications are fixed. No one is going to change the applications >> until the kernel is fixed. > People *can* change the applications before the kernel is changed if clear > specification is provided. That's why my approach has migration period. Of course they *can*, they just *won't*. The whole discussion is based on the fact that people resist change so strenuously. >> I have also added LSM identified files in /proc/.../attr: >> >> /proc/.../attr/current >> /proc/.../attr/selinux.current >> /proc/.../attr/apparmor.current >> /proc/.../attr/keycreate >> /proc/.../attr/selinux.keycreate >> >> SELinux applications and libraries can use simple logic to determine >> what to do: >> >> if /sys/kernel/security/lsm does not contain "selinux" >> Stop! No SELinux here! >> if /sys/kernel/security/present does not contain "selinux" >> Use selinux.current >> else >> Use current if you like. >> > Can we use prctl() interface instead of /proc/$pid/attr/$lsmname.$type ? > I simply don't want to see flood of entries when "find /proc/" runs. ;-) That cat is so long out of the bag that it's been adopted and spayed. > > prctl() can tell the caller whether specified LSM is enabled/presented or not > via its return value. > > I think we can provide a simple utility that maps > > echo something > /proc/pid/attr/selinux.current > > to > > prctl(PR_SET_SECURITY, pid, "selinux", "current", "something") > > and > > cat /proc/pid/attr/selinux.current > > to > > prctl(PR_GET_SECURITY, pid, "selinux", "current", buffer) > > for calling prctl() from script programs. > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
