3.2-rc1 rebase review

Tetsuo Handa from-ubuntu at I-love.SAKURA.ne.jp
Wed Nov 9 21:46:48 UTC 2011

Kees Cook wrote:
> > because passing security=yama causes default capability hooks (which are no-op)
> > to be called after yama hooks are called.
> I'm not entirely following you. With the Yama forced stacking patch,
> Yama's hooks are always run first,

> and if another LSM is primary, then
> its hooks are run if Yama didn't reject it.

> The results should be the
> same whether booted with "security=yama" or not.
Right, but

> Maybe I've
> misunderstood something?
passing security=yama and passing security=none generates the same result
because capability hooks are no-op.

I'm suggesting that we can remove

  security_ops->ptrace_access_check == yama_ptrace_access_check
  security_ops->path_link == yama_path_link
  security_ops->inode_follow_link == yama_inode_follow_link
  security_ops->task_prctl == yama_task_prctl
  security_ops->task_free == yama_task_free

checks by removing



More information about the kernel-team mailing list