On Tue, Dec 6, 2016 at 5:40 PM, Jamie Strandboge <[email protected]> wrote:
> I forgot to reiterate: the above is true *unless* there is another > non-DAC, non- > MAC kernel mediation (eg, does the kernel only allow modifying the 'comm' > value > of its own threads? If so, then the rule would be safe to add to the > default > abstraction (though we should document that it is safe)). > Thanks for your help Jamie on thinking through the implications of this - I really highly appreciate! For the given interface the v2 should be safe see e.g. http://man7.org/linux/man-pages/man5/proc.5.html Quoting from there: "... A thread may modify *its* comm value, or that of any of other thread *in the same thread group* ..." -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
-- libvir-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/libvir-list
