Re: [RFC][PATCH] Security hook for vm_enough_memory

Alan Cox (alan@lxorguk.ukuu.org.uk)
23 Jun 2003 17:40:25 +0100


On Llu, 2003-06-23 at 17:25, Stephen Smalley wrote:
> This patch for 2.5.73 replaces the CAP_SYS_ADMIN test in
> vm_enough_memory with a security_vm_allocate hook call so that security
> modules such as SELinux can distinguish this test from other
> CAP_SYS_ADMIN checks. This change is necessary since the
> vm_enough_memory capability check is applied to all processes that
> allocate mappings and we don't want to spuriously audit CAP_SYS_ADMIN
> denials generated by this test. If anyone has any objections to this
> patch, please let me know. Thanks.

Is there any reason for not wrapping the entire vm_enough_memory() function
and using the current one as default. In some environments being able to make
total commit constraints based on roles may actually be useful.

(Think "sum of students memory < 40% of system" 8))

vm_enough_memory has to be kernel side but its basically policy so pluggable
IMHO is good.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/