Stephen Smalley <[EMAIL PROTECTED]> wrote: > That sounds workable, although I think he will want a more specific hook > than security_secctx_to_secid(), or possibly a second hook call, that > would not only validate the context but authorize the use of it by the > cachefilesd process. And then the security_task_kernel_act_as() hook > just takes the secid as input rather than the task struct of the daemon, > and applies it. At that point, nfsd can use the same mechanism for > setting the acting SID based on the client process after doing its own > authorization.
I thought using secids was verboten as it made things too specific. Have you example code for the security hook you mention? I'm not sure I understand why security_secctx_to_secid() is not sufficient. Or is it that I need something that takes a secctx, converts it to a secid and authorises its use all in one go? If it's this, why can't that be rolles into security_task_kernel_act_as()? That sets up a task_security struct which is then switched in and out without consultation of the LSM. David - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
