Re: [PATCH 5/9] Make use of permissions, returned by kobj_lookup
From: Serge E. Hallyn
Date: Sat Mar 08 2008 - 16:48:25 EST
Quoting Greg KH (greg@xxxxxxxxx):
> On Fri, Mar 07, 2008 at 12:50:52PM -0600, Serge E. Hallyn wrote:
> > Quoting Greg KH (greg@xxxxxxxxx):
> > > On Fri, Mar 07, 2008 at 11:35:42AM -0600, Serge E. Hallyn wrote:
> > > > > Do you really want to run other LSMs within a containerd kernel? Is
> > > > > that a requirement? It would seem to run counter to the main goal of
> > > > > containers to me.
> > > >
> > > > Until user namespaces are complete, selinux seems the only good solution
> > > > to offer isolation.
> > >
> > > Great, use that instead :)
> >
> > That can't work as is since you can't specify major:minor in policy.
>
> Your LSM can not, or the LSM interface does not allow this to happen?
No my lsm in fact does, you just can't do it with selinux policy at the
moment. I was still responding to your "just use selinux" :)
> > So all we could do again is simply refuse all mknod, which we can
> > already do with per-process capability bounding sets.
>
> I thought we passed that info down to the LSM module, can't you do your
> selection at that point in time?
>
> And then, just mediate open() like always, right?
Yup, the patch I included inline does that.
An LSM can address the problem. It just felt like more of a
patch-over-the-real-problem kind of solution.
thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/