From: Crispin Cowan <crispin-RL8T2ARnKKfZw9hOtrW0rA@public.gmane.org>
To: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Joshua Brindle <method-PzTJMJMxY2mwxnkjfAeQoA@public.gmane.org>,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org,
menage-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org,
Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
Subject: Re: [PATCH 2/2] hijack: update task_alloc_security
Date: Tue, 27 Nov 2007 21:50:00 -0800 [thread overview]
Message-ID: <474D0188.2040600@crispincowan.com> (raw)
In-Reply-To: <20071127154356.GA32362-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
Serge E. Hallyn wrote:
> Quoting Stephen Smalley (sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org):
>
>> I agree with this part - we don't want people to have to choose between
>> using containers and using selinux, so if hijack is going to be a
>> requirement for effective use of containers, then we need to make them
>> work together.
>>
> Absolutely, we just need to decide how to properly make it work with
> selinux. Maybe we check for
>
> allow (current_domain):(hijacked_process_domain) hijack
> type_transition hijacked_process_domain \
> vserver_enter_binary_t:process vserver1_hijack_admin_t;
>
Is there to be an LSM hook, so that modules can decide on an arbitrary
decision of whether to allow a hijack? So that this "do the right
SELinux" thing can be generalized for all LSMs to do the right thing.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin
CEO, Mercenary Linux http://mercenarylinux.com/
Itanium. Vista. GPLv3. Complexity at work
next prev parent reply other threads:[~2007-11-28 5:50 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-27 1:54 [PATCH 1/2] namespaces: introduce sys_hijack (v10) Mark Nelson
[not found] ` <474B78CB.5070607-8fk3Idey6ehBDgjK7y7TUQ@public.gmane.org>
2007-11-27 2:00 ` [PATCH 2/2] hijack: update task_alloc_security Mark Nelson
2007-11-27 6:58 ` [PATCH 1/2] namespaces: introduce sys_hijack (v10) Crispin Cowan
[not found] ` <474B7A51.3080300@au1.ibm.com>
[not found] ` <474B7A51.3080300-8fk3Idey6ehBDgjK7y7TUQ@public.gmane.org>
2007-11-27 5:04 ` [PATCH 2/2] hijack: update task_alloc_security Casey Schaufler
2007-11-27 5:52 ` Joshua Brindle
[not found] ` <474BB095.8080302@manicmethod.com>
[not found] ` <474BB095.8080302-PzTJMJMxY2mwxnkjfAeQoA@public.gmane.org>
2007-11-27 14:36 ` Stephen Smalley
[not found] ` <1196174188.3925.32.camel-/ugcdrsPCSfIm9DtXLC9OUVfdvkotuLY+aIohriVLy8@public.gmane.org>
2007-11-27 15:43 ` Serge E. Hallyn
[not found] ` <20071127154356.GA32362@sergelap.austin.ibm.com>
[not found] ` <20071127154356.GA32362-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-11-28 5:50 ` Crispin Cowan [this message]
[not found] ` <474D0188.2040600-RL8T2ARnKKfZw9hOtrW0rA@public.gmane.org>
2007-11-28 14:54 ` Serge E. Hallyn
[not found] ` <20071128145422.GC3820@sergelap.austin.ibm.com>
[not found] ` <20071128145422.GC3820-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-11-29 4:21 ` Crispin Cowan
[not found] ` <474E3E4E.3060908@crispincowan.com>
[not found] ` <474E3E4E.3060908-RL8T2ARnKKfZw9hOtrW0rA@public.gmane.org>
2007-11-29 15:38 ` Serge E. Hallyn
[not found] ` <20071129153815.GA8140@sergelap.austin.ibm.com>
[not found] ` <20071129153815.GA8140-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-12-02 1:07 ` Crispin Cowan
[not found] ` <47520568.6030108@crispincowan.com>
[not found] ` <47520568.6030108-RL8T2ARnKKfZw9hOtrW0rA@public.gmane.org>
2007-12-03 14:50 ` Serge E. Hallyn
[not found] ` <20071203145012.GB9008@sergelap.austin.ibm.com>
[not found] ` <20071203145012.GB9008-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-12-03 19:43 ` Crispin Cowan
[not found] ` <820903.72193.qm@web36603.mail.mud.yahoo.com>
[not found] ` <820903.72193.qm-ua+PKVt9nRSvuULXzWHTWIglqE1Y4D90QQ4Iyu8u01E@public.gmane.org>
2007-11-27 16:01 ` Serge E. Hallyn
[not found] ` <20071127160127.GC32362@sergelap.austin.ibm.com>
[not found] ` <20071127160127.GC32362-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-11-28 5:53 ` Crispin Cowan
[not found] ` <474D026B.3090306-RL8T2ARnKKfZw9hOtrW0rA@public.gmane.org>
2007-11-28 14:57 ` Serge E. Hallyn
[not found] ` <474BC017.6060801@crispincowan.com>
[not found] ` <474BC017.6060801-RL8T2ARnKKfZw9hOtrW0rA@public.gmane.org>
2007-11-27 16:11 ` [PATCH 1/2] namespaces: introduce sys_hijack (v10) Serge E. Hallyn
[not found] ` <20071127161132.GD32362@sergelap.austin.ibm.com>
[not found] ` <20071127161132.GD32362-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-11-27 18:09 ` Stephen Smalley
[not found] ` <1196186964.3925.129.camel@moss-spartans.epoch.ncsc.mil>
[not found] ` <1196186964.3925.129.camel-/ugcdrsPCSfIm9DtXLC9OUVfdvkotuLY+aIohriVLy8@public.gmane.org>
2007-11-27 22:38 ` Serge E. Hallyn
[not found] ` <20071127223829.GA21753@sergelap.austin.ibm.com>
[not found] ` <20071127223829.GA21753-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-11-27 22:54 ` Casey Schaufler
2007-11-28 15:00 ` Stephen Smalley
[not found] ` <1196262054.13820.23.camel-/ugcdrsPCSfIm9DtXLC9OUVfdvkotuLY+aIohriVLy8@public.gmane.org>
2007-11-28 15:23 ` Serge E. Hallyn
[not found] ` <20071128152359.GA4756@sergelap.austin.ibm.com>
[not found] ` <20071128152359.GA4756-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-11-30 2:08 ` Mark Nelson
[not found] ` <474F70B3.5020006-8fk3Idey6ehBDgjK7y7TUQ@public.gmane.org>
2007-11-30 2:10 ` Paul Menage
2007-11-30 2:37 ` Eric W. Biederman
[not found] ` <m1wss0a27g.fsf-T1Yj925okcoyDheHMi7gv2pdwda3JcWeAL8bYrjMMd8@public.gmane.org>
2007-11-30 14:50 ` Serge E. Hallyn
[not found] ` <20071130145016.GE6250@sergelap.austin.ibm.com>
[not found] ` <20071130145016.GE6250-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-11-30 22:09 ` Eric W. Biederman
[not found] ` <6599ad830711291810m463833ack452c375b552c627e@mail.gmail.com>
[not found] ` <6599ad830711291810m463833ack452c375b552c627e-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2007-11-30 14:50 ` Serge E. Hallyn
[not found] ` <85084.30222.qm@web36605.mail.mud.yahoo.com>
[not found] ` <85084.30222.qm-9MnE1aMSM06vuULXzWHTWIglqE1Y4D90QQ4Iyu8u01E@public.gmane.org>
2007-11-28 14:25 ` Serge E. Hallyn
-- strict thread matches above, loose matches on Subject: below --
2007-11-27 11:08 [PATCH 2/2] hijack: update task_alloc_security Rodrigo Rubira Branco (BSDaemon)
[not found] ` <20071127130831.595B58BD1A-09+wY+MuxUVrAyPhmWpK8Qh0onu2mTI+@public.gmane.org>
2007-11-27 15:50 ` Serge E. Hallyn
2007-11-27 17:05 Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=474D0188.2040600@crispincowan.com \
--to=crispin-rl8t2arnkkfzw9hotrw0ra@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=menage-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=method-PzTJMJMxY2mwxnkjfAeQoA@public.gmane.org \
--cc=sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox