Re: [1/1][PATCH] nproc v2: netlink access to /proc information

From: Roger Luethi
Date: Thu Sep 09 2004 - 16:04:09 EST


On Thu, 09 Sep 2004 16:01:06 -0400, Stephen Smalley wrote:
> > For the same reason, I'm not comfortable with implementing SELinux type
> > access controls myself. How about:
> >
> > config NPROC
> > depends on !SECURITY_SELINUX
> >
> > Adding access control later won't be a problem for anyone who groks
> > SELinux.
>
[...]
> Most obvious place to hook would be nproc_ps_get_task; we could then
> perform a check based on the sender's credentials and the target task's
> credentials, and simply return NULL if permission is not granted for
> that pair, thus skipping that task as if it didn't exist. That requires
> propagating the sender's credentials down to that function.
>
> Untested patch below.

I used a somewhat different approach in my development tree (not
SELinuxy, though): Most fields were world readable, some required
credentials.

I don't have any strong feelings on access control, so I'd be happy
with any mechanism that doesn't completely botch performance. Anyway,
I do not consider lack of access controls to be a showstopper.

Roger
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/