Quoting Dwight Engen (dwight.en...@oracle.com):
> On Sun, 14 Sep 2014 03:49:32 +
> Serge Hallyn wrote:
>
> > (If we go this route we can also drop the whole lsm_label_get()
> > method and the lsm_label field in the attach context info)
> >
> > Apparmor policies require mount restrictions to
On Sun, 14 Sep 2014 03:49:32 +
Serge Hallyn wrote:
> (If we go this route we can also drop the whole lsm_label_get()
> method and the lsm_label field in the attach context info)
>
> Apparmor policies require mount restrictions to fullfill many of
> their promises - for instance if proc can b
Quoting Stéphane Graber (stgra...@ubuntu.com):
> On Sun, Sep 14, 2014 at 03:49:32AM +, Serge Hallyn wrote:
> > (If we go this route we can also drop the whole lsm_label_get()
> > method and the lsm_label field in the attach context info)
>
> I'm not too familiar with the lsm code and I tend to
On Sun, Sep 14, 2014 at 03:49:32AM +, Serge Hallyn wrote:
> (If we go this route we can also drop the whole lsm_label_get()
> method and the lsm_label field in the attach context info)
I'm not too familiar with the lsm code and I tend to get lost in there,
so just a few questions to confirm th
(If we go this route we can also drop the whole lsm_label_get()
method and the lsm_label field in the attach context info)
Apparmor policies require mount restrictions to fullfill many of
their promises - for instance if proc can be mounted anywhere,
then 'deny /proc/sysrq-trigger w' prevents only