On Thu, Jan 12, 2017 at 11:49 AM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > On 1/12/2017 8:03 AM, Paul Moore wrote: >> On Tue, Jan 10, 2017 at 12:28 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >>> As reported by yangshukui, a permission denial from security_task_wait() >>> can lead to a soft lockup in zap_pid_ns_processes() since it only expects >>> sys_wait4() to return 0 or -ECHILD. Further, security_task_wait() can >>> in general lead to zombies; in the absence of some way to automatically >>> reparent a child process upon a denial, the hook is not useful. Remove >>> the security hook and its implementations in SELinux and Smack. Smack >>> already removed its check from its hook. >>> >>> Reported-by: yangshukui <yangshukui@xxxxxxxxxx> >>> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > > Acked-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > > In case you miss my earlier Ack. Yep, already go it. I just wanted to try and avoid the situation where both of us push this patch up to James for the next merge window. >>> --- >>> include/linux/lsm_hooks.h | 7 ------- >>> include/linux/security.h | 6 ------ >>> kernel/exit.c | 19 ++----------------- >>> security/security.c | 6 ------ >>> security/selinux/hooks.c | 7 ------- >>> security/smack/smack_lsm.c | 20 -------------------- >>> 6 files changed, 2 insertions(+), 63 deletions(-) >> Looks good to me and I'm not seeing any objections so I'll go ahead >> and merge this into the selinux/next branch today unless Casey already >> merged this into the Smack tree - Casey? > > Please go ahead and merge into the SELinux tree. > It makes sense to do this atomically. > Thank you. Agreed. It should be in selinux/next now if you want to play. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
