Re: [RFC] [PATCH] merge *_vm_enough_memory()s into a common helper

[Stephen Smalley]

On Tue, 2005-01-04 at 16:48, Serge E. Hallyn wrote:
> The attached patch introduces a __vm_enough_memory function in
> security/security.c which is used by cap_vm_enough_memory,
> dummy_vm_enough_memory, and selinux_vm_enough_memory.  This has
> been discussed on the lsm mailing list.

> + * Note that secondary_ops->capable and task_has_perm return 0 if
> + * the capability is granted, but __vm_enough_memory requires 1 if
> + * the capability is granted.

Should be avc_has_perm_noaudit, right?

> +	rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
> +	if (rc == 0)
> +		cap_sys_admin = avc_has_perm_noaudit(tsec->sid, tsec->sid,
> +					SECCLASS_CAPABILITY,
> +					CAP_TO_MASK(CAP_SYS_ADMIN),
> +					NULL);

Shouldn't this be 'rc = avc_has_perm...'?  And I'd suggest retaining the
comment from the original about why we don't want to audit here.

> -	vm_unacct_memory(pages);
> +	if (rc == 0)
> +		cap_sys_admin = 1;
>  
> -	return -ENOMEM;
> +	return __vm_enough_memory(pages, cap_sys_admin);
>  }

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/