Re: [patch 0/4] MAP_NOZERO v2 - VM_NOZERO/MAP_NOZERO early summermadness

[Davide Libenzi]

On Mon, 2 Jul 2007, Ulrich Drepper wrote:

> On 7/2/07, Rik van Riel <riel@xxxxxxxxxx> wrote:
> > That should not happen.  The default SELinux configuration
> > in Fedora (and Debian?) runs a few daemons in their own
> > restricted modes and has most of the system running in
> > unconfined_t, including the majority of user programs.
> 
> This is the state as of F7.  This will change hopefully soon.
> Programs like firefox run by normal users must be confined, to. Any
> tests using security must be fast, it's not something which is done
> only for a few apps.

The strong requirement would be that the cookie is not a bit longer than 
sizeof(unsigned long).
For the "equality" check, this better be "==", although it could be 
abstracted in a function/macro that SeLinux implements in a different way.
But this "equality" check is done a page-fault time, so it better be 
pretty quick (otherwise if they bloat that path, they probably be better 
of not using MAP_NOZERO at all).



- Davide


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/