From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: Linux Containers
<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
alexey-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org
Subject: Re: [PATCH 4/6] cr: checkpoint and restore task credentials
Date: Tue, 19 May 2009 08:35:26 -0500 [thread overview]
Message-ID: <20090519133526.GB32685@us.ibm.com> (raw)
In-Reply-To: <16258.1242721606-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Quoting David Howells (dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
> Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> wrote:
>
> > +/* move this code into kernel/cred.c and do proper perms checking of course */
> > +struct cred *restore_read_cred(struct ckpt_ctx *ctx)
> > +{
>
> This function needs to fix up cred->security.
Yup -it's not at all clear to me yet how to go about that, so I'll
need to have a discussion on the LSM list about whether a pair
of new security_ops hook is called for. One to authorize restart,
based on the current domain and the type of the mm->exe_file being
executed (and maybe the type of the checkpoint image file), and
one to calculate the new domain to enter at the end of restart.
Or did you mean something else by 'fix up' cred->security?
thanks,
-serge
next prev parent reply other threads:[~2009-05-19 13:35 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-19 1:44 [PATCH 0/6] cr: credentials Serge E. Hallyn
[not found] ` <20090519014446.GA28277-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-19 1:45 ` [PATCH 1/6] cr: break out new_user_ns() Serge E. Hallyn
2009-05-19 1:45 ` [PATCH 2/6] cr: split core function out of some set*{u,g}id functions Serge E. Hallyn
2009-05-19 1:45 ` [PATCH 3/6] cr: capabilities: define checkpoint and restore fns Serge E. Hallyn
2009-05-19 1:45 ` [PATCH 4/6] cr: checkpoint and restore task credentials Serge E. Hallyn
2009-05-19 1:45 ` [PATCH 5/6] cr: restore file->f_cred Serge E. Hallyn
[not found] ` <20090519014546.GE28312-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-20 15:08 ` Oren Laadan
[not found] ` <4A141CEE.2080100-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2009-05-20 15:25 ` Serge E. Hallyn
[not found] ` <20090520152527.GA28585-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-20 15:26 ` Oren Laadan
2009-05-19 1:45 ` [PATCH 6/6] user namespaces: debug refcounts Serge E. Hallyn
[not found] ` <20090519014538.GD28312-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-19 8:26 ` [PATCH 4/6] cr: checkpoint and restore task credentials David Howells
[not found] ` <16258.1242721606-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-05-19 13:35 ` Serge E. Hallyn [this message]
[not found] ` <20090519133526.GB32685-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-19 14:26 ` David Howells
[not found] ` <19394.1242743199-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-05-19 14:46 ` Serge E. Hallyn
2009-05-20 15:35 ` Oren Laadan
[not found] ` <4A142350.1060308-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2009-05-20 15:53 ` Serge E. Hallyn
[not found] ` <20090520155332.GA28999-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-20 16:08 ` Oren Laadan
[not found] ` <4A142B05.4040907-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2009-05-20 16:13 ` Serge E. Hallyn
2009-05-20 16:54 ` Oren Laadan
[not found] ` <4A1435E0.3010306-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2009-05-20 21:40 ` Serge E. Hallyn
[not found] ` <20090520214027.GA3517-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-21 14:02 ` Oren Laadan
[not found] ` <4A155EEC.9070509-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2009-05-21 14:14 ` Serge E. Hallyn
2009-05-20 21:52 ` Serge E. Hallyn
[not found] ` <20090520215250.GB3517-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-21 14:13 ` Oren Laadan
2009-05-20 22:16 ` Serge E. Hallyn
[not found] ` <20090520221600.GA3925-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-21 6:03 ` Oren Laadan
2009-05-20 16:56 ` Oren Laadan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090519133526.GB32685@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=alexey-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.