Re: [PATCH 4/6] Add dynamic context transition support to SELinux
From: Chris Wright
Date: Thu Dec 02 2004 - 13:37:37 EST
* Stephen Smalley (sds@xxxxxxxxxxxxxx) wrote:
> This patch for 2.6.10-rc2-mm4 adds dynamic context transition support to SELinux via
This is nice to see.
> + /* Only allow single threaded processes to change context */
> + if (atomic_read(&p->mm->mm_users) != 1) {
> + struct task_struct *g, *t;
> + struct mm_struct *mm = p->mm;
> + read_lock(&tasklist_lock);
> + do_each_thread(g, t)
> + if (t->mm == mm && t != p) {
> + read_unlock(&tasklist_lock);
> + return -EPERM;
> + }
> + while_each_thread(g, t);
> + read_unlock(&tasklist_lock);
That's heavy handed. Can't you track this at clone time? Or at least
do this after the AVC check, so it's not always locking task list.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/