From: Stephen Smalley <sds@tycho.nsa.gov>
To: Eric Paris <eparis@redhat.com>
Cc: selinux@tycho.nsa.gov, jmorris@namei.org
Subject: Re: [PATCH 2/3] SELinux: call capabilities code directory
Date: Tue, 10 Feb 2009 09:06:38 -0500 [thread overview]
Message-ID: <1234274798.4642.24.camel@localhost.localdomain> (raw)
In-Reply-To: <20090209213719.9537.98143.stgit@paris.rdu.redhat.com>
On Mon, 2009-02-09 at 16:37 -0500, Eric Paris wrote:
> For cleanliness and efficiency remove all calls to secondary-> and instead
> call capabilities code directly. capabilities are the only module that
> selinux stacks with and so the code should not indicate that other stacking
> might be possible.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---
>
> security/selinux/hooks.c | 28 ++++++++++++++--------------
> 1 files changed, 14 insertions(+), 14 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6e6847d..e2bdb28 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2087,7 +2087,7 @@ static int selinux_syslog(int type)
> * mapping. 0 means there is enough memory for the allocation to
> * succeed and -ENOMEM implies there is not.
> *
> - * Note that secondary_ops->capable and task_has_perm_noaudit return 0
> + * Note that cap_capable and task_has_perm_noaudit return 0
This part of the comment is a bit out of date - at this point we are
just calling selinux_capable(...SECURITY_CAP_NOAUDIT) rather than
separately calling cap_capable() and task_has_perm_noaudit().
> * if the capability is granted, but __vm_enough_memory requires 1 if
> * the capability is granted.
> *
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-02-10 14:06 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-09 21:37 [PATCH 1/3] SELinux: fix selinux to safely handle any bugs even when not CONFIG_BUG Eric Paris
2009-02-09 21:37 ` [PATCH 2/3] SELinux: call capabilities code directory Eric Paris
2009-02-10 14:06 ` Stephen Smalley [this message]
2009-02-10 14:30 ` Eric Paris
2009-02-09 21:37 ` [PATCH 3/3] SELinux: better printk when file with invalid label found Eric Paris
2009-02-10 14:14 ` Stephen Smalley
2009-02-10 14:30 ` Eric Paris
2009-02-10 14:59 ` Stephen Smalley
2009-02-10 14:00 ` [PATCH 1/3] SELinux: fix selinux to safely handle any bugs even when not CONFIG_BUG Stephen Smalley
2009-02-10 14:39 ` Eric Paris
2009-02-10 14:52 ` James Morris
2009-02-10 15:05 ` Stephen Smalley
2009-02-10 16:37 ` Paul Moore
2009-02-12 22:56 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1234274798.4642.24.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.