Re: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code

From: James Morris <jmorris@xxxxxxxxx>
Date: Wed, 21 Jun 2006 15:51:45 -0400 (EDT)

On Wed, 21 Jun 2006, Christoph Lameter wrote:

On Wed, 21 Jun 2006, James Morris wrote:

From: David Quigley <dpquigl@xxxxxxxxxxxxx>

This patch inserts the security hook calls into the setmempolicy function
to enable security modules to mediate this operation between tasks.

Setting a memory policy is different from migrating pages of an
application. The migration function migrates a process, it does not set
any memory policies. Cpuset may change memory policies of the tasks
contained in it but sys_migrate_pages() cannot.

I'll let David and/or Stephen address this in detail, but what's being
added here is a security asbtraction, where we consider these operations
to be equivalent from an access control point of view. So, one task
causing another task's memory to be moved to another node is conisdered to
be "setting memory policy" at a conceptual level. Perhaps we could change
the name of the hook to make that clearer (which you suggest below).

We need a similar hook for the sys_move_pages() function call in mm right?

Yes, the hook is also added to sys_move_pages() in the patch.

If this is a generic hook then I would suggest to have some hook that
contains the term "memory placement" somewhere that would fit both system
calls.

--
James Morris
<jmorris@xxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Follow-Ups:
- Re: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code
  - From: Christoph Lameter

References:
- [PATCH 1/3] SELinux: Add security hook definitions for setmempolicy
  - From: James Morris
- [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code
  - From: James Morris
- Re: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code
  - From: Christoph Lameter

Prev by Date: [PATCH 10/22] [PATCH] Driver Core: remove unused exports
Next by Date: [PATCH 18/22] [PATCH] Driver core: allow struct device to have a dev_t
Previous by thread: Re: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code
Next by thread: Re: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code
Index(es):
- Date
- Thread

Relevant Pages

[UNIX] Linux Kernel binfmt_elf ELF Loader Privilege Escalation
... Get your security news from a reliable source. ... or in other words to execute a new program. ... One of the Linux format loaders is the ELF (Executable and Linkable ... of the memory map header in the binary image and the program ...
(Securiteam)
[NEWS] Xbox 360 Hypervisor Privilege Escalation Vulnerability
... Get your security news from a reliable source. ... Xbox 360 Hypervisor Privilege Escalation Vulnerability ... access to memory and provides encryption and decryption services. ... to the syscall dispatcher, as illustrated below. ...
(Securiteam)
Re: Executable Memory in a Driver
... >> criminal to expose users to the added bluescreen and security risk. ... In a language that can't access outside an array, ... that doesn't need to move memory. ... > desired in the compiler. ...
(microsoft.public.development.device.drivers)
[NT] Microsoft DCOM RPC Race Condition (MS04-012)
... Get your security news from a reliable source. ... the way Microsoft Windows handles DCOM RPC requests. ... based DCOM activation requests has been prone to failure in the past. ... may be overwritten depending on the block the memory management supplies ...
(Securiteam)
Lost BlackBerry Could Open Security Breach
... misplaced items such as computer memory sticks and mobile e-mail ... colleague lost one of the office's wireless messaging devices. ... Bluefire Security Technologies Inc., who recently lost his iPaq 6315 ...
(comp.dcom.telecom)