Casey Schaufler <[EMAIL PROTECTED]> wrote: > What sort of authorization are you thinking of? I would expect > that to have been done by cachefileselinuxcontext (or > cachefilesspiffylsmcontext) up in userspace. If you're going to > rely on userspace applications for policy enforcement they need > to be good enough to count on after all.
It can't be done in userspace, otherwise someone using the cachefilesd interface can pass an arbitrary context up. The security context has to be passed across the file descriptor attached to /dev/cachefiles along with the other configuration parameters as a text string. This fd selects the particular cache context that a particular instance of a running daemon is using. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/