Re: [PATCH 2/5] cr: checkpoint the active LSM and add RESTART_KEEP_LSM flag

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Oren Laadan <orenl@cs.columbia.edu>,
	Linux Containers <containers@lists.osdl.org>,
	linux-security-module@vger.kernel.org,
	SELinux <selinux@tycho.nsa.gov>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Stephen Smalley <sds@epoch.ncsc.mil>,
	James Morris <jmorris@namei.org>,
	David Howells <dhowells@redhat.com>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 2/5] cr: checkpoint the active LSM and add	RESTART_KEEP_LSM flag
Date: Mon, 31 Aug 2009 22:51:50 -0700	[thread overview]
Message-ID: <4A9CB676.8070405@schaufler-ca.com> (raw)
In-Reply-To: <20090831133656.GC4837@us.ibm.com>

Serge E. Hallyn wrote:
> Quoting Serge E. Hallyn (serue@us.ibm.com):
>   
>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>     
>>> Serge E. Hallyn wrote:
>>>       
>>>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>>> So do you think that adding a policy version check in the kernel
>>>> at restart would help this?
>>>>         
>> For the moment I intend to add a patch on top of these adding two
>> security calls:
>>
>> 	security_may_checkpoint(ctx) which will authorize the
>> 		ability to checkpoint at all, and
>>     
>
> I meant:
>
> 	security_may_restore(ctx).
>   

As much as I hate adding more hooks, you could argue for both.

WARNING: multiple messages have this Message-ID (diff)

From: Casey Schaufler <casey@schaufler-ca.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Oren Laadan <orenl@cs.columbia.edu>,
	Linux Containers <containers@lists.osdl.org>,
	linux-security-module@vger.kernel.org,
	SELinux <selinux@tycho.nsa.gov>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Stephen Smalley <sds@epoch.ncsc.mil>,
	James Morris <jmorris@namei.org>,
	David Howells <dhowells@redhat.com>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 2/5] cr: checkpoint the active LSM and add	RESTART_KEEP_LSM flag
Date: Mon, 31 Aug 2009 22:51:50 -0700	[thread overview]
Message-ID: <4A9CB676.8070405@schaufler-ca.com> (raw)
In-Reply-To: <20090831133656.GC4837@us.ibm.com>

Serge E. Hallyn wrote:
> Quoting Serge E. Hallyn (serue@us.ibm.com):
>   
>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>     
>>> Serge E. Hallyn wrote:
>>>       
>>>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>>> So do you think that adding a policy version check in the kernel
>>>> at restart would help this?
>>>>         
>> For the moment I intend to add a patch on top of these adding two
>> security calls:
>>
>> 	security_may_checkpoint(ctx) which will authorize the
>> 		ability to checkpoint at all, and
>>     
>
> I meant:
>
> 	security_may_restore(ctx).
>   

As much as I hate adding more hooks, you could argue for both.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2009-09-01  5:51 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-08-28 21:00 [PATCH 1/5] cr: define ckpt_debug if CONFIG_CHECKPOINT=n Serge E. Hallyn
2009-08-28 21:02 ` [PATCH 2/5] cr: checkpoint the active LSM and add RESTART_KEEP_LSM flag Serge E. Hallyn
2009-08-28 21:02   ` Serge E. Hallyn
2009-08-28 21:03   ` [PATCH 1/1] mktree: accept the lsm_name field in header and add -k flag Serge E. Hallyn
2009-08-28 21:03     ` Serge E. Hallyn
2009-08-29  4:43   ` [PATCH 2/5] cr: checkpoint the active LSM and add RESTART_KEEP_LSM flag Casey Schaufler
2009-08-29  4:43     ` Casey Schaufler
2009-08-29 22:59     ` Serge E. Hallyn
2009-08-29 22:59       ` Serge E. Hallyn
2009-08-30  0:03       ` Casey Schaufler
2009-08-30  0:03         ` Casey Schaufler
2009-08-30 13:48         ` Serge E. Hallyn
2009-08-30 13:48           ` Serge E. Hallyn
2009-08-30 18:58           ` Casey Schaufler
2009-08-30 18:58             ` Casey Schaufler
2009-08-30 20:24             ` Serge E. Hallyn
2009-08-30 20:24               ` Serge E. Hallyn
2009-08-30 21:43               ` Casey Schaufler
2009-08-30 21:43                 ` Casey Schaufler
2009-08-31 13:22                 ` Serge E. Hallyn
2009-08-31 13:22                   ` Serge E. Hallyn
2009-08-31 13:36                   ` Serge E. Hallyn
2009-08-31 13:36                     ` Serge E. Hallyn
2009-09-01  5:51                     ` Casey Schaufler [this message]
2009-09-01  5:51                       ` Casey Schaufler
     [not found]             ` <4A9ACBD4.4020804-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2009-09-01 12:29               ` Russell Coker
2009-09-01 12:29                 ` Russell Coker
2009-09-02 16:36                 ` Casey Schaufler
2009-09-02 16:36                   ` Casey Schaufler
2009-09-02 18:55                   ` Shaya Potter
2009-09-02 22:27                     ` Casey Schaufler
2009-09-02 22:27                       ` Casey Schaufler
2009-08-28 21:04 ` [PATCH 3/5] cr: add generic LSM c/r support Serge E. Hallyn
2009-08-28 21:04   ` Serge E. Hallyn
2009-08-29  4:30   ` Casey Schaufler
2009-08-29  4:30     ` Casey Schaufler
2009-08-29 22:41     ` Serge E. Hallyn
2009-08-29 22:41       ` Serge E. Hallyn
2009-08-29 23:40       ` Casey Schaufler
2009-08-29 23:40         ` Casey Schaufler
2009-08-30 13:58         ` Serge E. Hallyn
2009-08-30 13:58           ` Serge E. Hallyn
2009-08-30 19:03           ` Casey Schaufler
2009-08-30 19:03             ` Casey Schaufler
2009-08-30 20:26             ` Serge E. Hallyn
2009-08-30 20:26               ` Serge E. Hallyn
     [not found]             ` <4A9ACD0A.9050004-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2009-08-31 12:45               ` Stephen Smalley
2009-08-31 12:45                 ` Stephen Smalley
2009-09-01  5:49                 ` Casey Schaufler
2009-09-01  5:49                   ` Casey Schaufler
2009-09-04 13:38                   ` Serge E. Hallyn
2009-09-04 13:38                     ` Serge E. Hallyn
2009-08-28 21:04 ` [PATCH 4/5] cr: add smack support to lsm c/r Serge E. Hallyn
2009-08-28 21:04   ` Serge E. Hallyn
2009-08-28 21:05 ` [PATCH 5/5] cr: add selinux support Serge E. Hallyn
2009-08-28 21:05   ` Serge E. Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A9CB676.8070405@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=adobriyan@gmail.com \
    --cc=containers@lists.osdl.org \
    --cc=dhowells@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=jmorris@namei.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=orenl@cs.columbia.edu \
    --cc=sds@epoch.ncsc.mil \
    --cc=selinux@tycho.nsa.gov \
    --cc=serue@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.