3.2-rc1 rebase review
Tetsuo Handa
from-ubuntu at I-love.SAKURA.ne.jp
Wed Nov 9 21:46:48 UTC 2011
Kees Cook wrote:
> > because passing security=yama causes default capability hooks (which are no-op)
> > to be called after yama hooks are called.
>
> I'm not entirely following you. With the Yama forced stacking patch,
> Yama's hooks are always run first,
Right.
> and if another LSM is primary, then
> its hooks are run if Yama didn't reject it.
Right.
> The results should be the
> same whether booted with "security=yama" or not.
Right, but
> Maybe I've
> misunderstood something?
passing security=yama and passing security=none generates the same result
because capability hooks are no-op.
I'm suggesting that we can remove
security_ops->ptrace_access_check == yama_ptrace_access_check
security_ops->path_link == yama_path_link
security_ops->inode_follow_link == yama_inode_follow_link
security_ops->task_prctl == yama_task_prctl
security_ops->task_free == yama_task_free
checks by removing
register_security(&yama_ops)
security_module_enable(&yama_ops)
calls.
More information about the kernel-team
mailing list