From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] How to handle glibc-triggered behavior?
Date: Thu, 10 Dec 2015 16:20:40 +0100 [thread overview]
Message-ID: <20151210152039.GC22216@x250> (raw)
In-Reply-To: <56699355.6010402@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Thu, Dec 10, 2015 at 03:59:33PM +0100, Laurent Bigonville wrote:
> Hey,
>
> Le 21/12/14 13:15, Sven Vermeulen a ?crit :
> > glibc's malloc implementation, in multithreaded applications, might read
> > /proc/sys/vm/overcommit_memory to check if the heap can be shrunk or not
> > (when the allocated memory is part of the non-main arena). That means that
> > read access to sysctl_vm_t becomes a wide request.
> >
> > Not granting privileges might result in different memory behavior, where the
> > system administrator might have tuned/tweaked memory allocations on Linux,
> > but malloc() ignoring this due to SELinux denying access to the settings.
> >
> > I'm wondering how to properly tackle this. Granting this on a per-domain
> > level is probably not manageable, but granting this for all domains (through
> > the "domain" attribute) might be overshooting.
> >
> > Are there specific risks that I should take into account when granting read
> > access to sysctl_vm_t?
> >
> > Wkr,
> > Sven Vermeulen
> I'm bumping this again topic again.
>
> Is there anything blocking a fix for this?
I like the idea but i think "domain" should not be used for this.
>
> Cheers,
>
> Laurent Bigonville
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
- --
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCgAGBQJWaZhDAAoJENAR6kfG5xmc1lcL/15emhsOZE9MjSc/gSkt8hKg
EnTjV/HuBWQUtMbw94PaiMmcFz1xfQukp1E+caD+cPngCjGVZS674pD43xgZp+5l
VaUbvu+V7J2PTyuB2Llm0g1dPOg7AX/53x3Wi8Z8MDTEmxw3QtV1kIfNRGww++XO
7PUc6eavZRDwS0an6jz4PjElbJ3+bJKMA+qj5d7xbORD4rwFY0nnn1JPTEE5n9Ew
z2eO7OyP/+PnHpTQyg8OZ7G0xM+hhXy+5FohB95/l9Nv+qxzQSjG66F1PY0oXCJq
WQKQZWY1xtEmgRSE4AuMDgm0hB+E7kI2WuXeQK34SqD4X6gCO8JM6PqK+QS1bHuN
1nvIznM5rxfhBvUhQjFyZkbRAurQvHO8/zfcWSoY1mQ/2eqyb4qXS7murD1Fihml
sv87xzK+1HyMP95BnjDnHukQeBRgm9vNy8QDvTukA5WzRd53ueJVNgEG3P7qyAl0
ftgRvPKUoWRYqLD9qAWzb0Z8Q7/+Xn2IwDw9XVVDVw==
=um/m
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2015-12-10 15:20 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-21 12:15 [refpolicy] How to handle glibc-triggered behavior? Sven Vermeulen
2015-01-12 14:03 ` Christopher J. PeBenito
2015-04-03 13:47 ` Miroslav Grepl
2015-04-03 15:44 ` Dominick Grift
2015-12-10 14:59 ` Laurent Bigonville
2015-12-10 15:11 ` Dominick Grift
2015-12-10 15:13 ` Dominick Grift
2015-12-10 15:44 ` Christopher J. PeBenito
2015-12-10 15:49 ` Dominick Grift
2015-12-10 15:51 ` Dominick Grift
2015-12-10 15:20 ` Dominick Grift [this message]
2015-12-10 15:29 ` Dominick Grift
2015-12-10 15:40 ` Dominick Grift
2015-12-10 15:53 ` Christopher J. PeBenito
2015-12-10 15:56 ` Dominick Grift
2015-12-10 16:00 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151210152039.GC22216@x250 \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.