Re: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mmcode

[James Morris]

On Wed, 21 Jun 2006, Christoph Lameter wrote:

> On Wed, 21 Jun 2006, James Morris wrote:
> 
> > From: David Quigley <dpquigl@xxxxxxxxxxxxx>
> > 
> > This patch inserts the security hook calls into the setmempolicy function 
> > to enable security modules to mediate this operation between tasks.
> 
> Setting a memory policy is different from migrating pages of an 
> application. The migration function migrates a process, it does not set 
> any memory policies. Cpuset may change memory policies of the tasks 
> contained in it but sys_migrate_pages() cannot.

I'll let David and/or Stephen address this in detail, but what's being 
added here is a security asbtraction, where we consider these operations 
to be equivalent from an access control point of view.  So, one task 
causing another task's memory to be moved to another node is conisdered to 
be "setting memory policy" at a conceptual level.  Perhaps we could change 
the name of the hook to make that clearer (which you suggest below).

> We need a similar hook for the sys_move_pages() function call in mm right?

Yes, the hook is also added to sys_move_pages() in the patch.

> If this is a generic hook then I would suggest to have some hook that 
> contains the term "memory placement" somewhere that would fit both system 
> calls.
> 

-- 
James Morris
<jmorris@xxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/