Re: [RFC] cgroups: implement device whitelist lsm (v2)

On Wed, 12 Mar 2008, Serge E. Hallyn wrote:

> +#ifdef CONFIG_SECURITY
> +static struct security_operations devcgroup_security_ops = {
> +	.inode_mknod = 			devcgroup_inode_mknod,
> +	.inode_permission = 		devcgroup_inode_permission,
> +
> +	.ptrace =			cap_ptrace,
> +	.capget =			cap_capget,
> +	.capset_check =			cap_capset_check,
> +	.capset_set =			cap_capset_set,
> +	.capable =			cap_capable,
> +	.settime =			cap_settime,
> +	.netlink_send =			cap_netlink_send,
> +	.netlink_recv =			cap_netlink_recv,
> +
> +	.bprm_apply_creds =		cap_bprm_apply_creds,
> +	.bprm_set_security =		cap_bprm_set_security,
> +	.bprm_secureexec =		cap_bprm_secureexec,
> +
> +	.inode_setxattr =		cap_inode_setxattr,
> +	.inode_removexattr =		cap_inode_removexattr,
> +	.inode_need_killpriv =		cap_inode_need_killpriv,
> +	.inode_killpriv =		cap_inode_killpriv,
> +
> +	.task_kill =			cap_task_kill,
> +	.task_setscheduler =		cap_task_setscheduler,
> +	.task_setioprio =		cap_task_setioprio,
> +	.task_setnice =			cap_task_setnice,
> +	.task_post_setuid =		cap_task_post_setuid,
> +	.task_prctl =                   cap_task_prctl,
> +	.task_reparent_to_init =	cap_task_reparent_to_init,
> +
> +	.syslog =                       cap_syslog,
> +
> +	.vm_enough_memory =             cap_vm_enough_memory,
> +};

For lower overall complexity, why not just extend the capability LSM to 
include the devcgroup_ perms if CONFIG_CGROUP_DEV ?



- James
-- 
James Morris
<jmorris@namei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html