[PATCH v2 0/7] Smack namespace

Lukasz Pawelczyk l.pawelczyk at samsung.com
Wed May 27 09:36:12 UTC 2015


On wto, 2015-05-26 at 10:35 -0400, Stephen Smalley wrote:
> On 05/25/2015 08:32 AM, Lukasz Pawelczyk wrote:
> > --- Usage ---
> > 
> > Smack namespace is written using LSM hooks inside user namespace. That
> > means it's connected to it.
> > 
> > To create a new Smack namespace you need to unshare() user namespace
> > as usual. If that is all you do though, than there is no difference to
> > what is now. To activate the Smack namespace you need to fill the
> > labels' map. It is in a file /proc/$PID/smack_map.
> 
> This should be /proc/$PID/attr/label_map or similar, modeled after the
> existing /proc/$PID/attr/current and similar nodes.  Then it isn't
> module-specific and can be reused for other modules.

To make this generic I'll have to introduce new LSH hooks to handle this
file (much like /proc/$PID/attr/current).
I take this is what you had in mind.


-- 
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics





More information about the Containers mailing list