[PATCH v2 0/7] Smack namespace

Stephen Smalley sds at tycho.nsa.gov
Wed May 27 13:33:25 UTC 2015

On 05/27/2015 05:36 AM, Lukasz Pawelczyk wrote:
> On wto, 2015-05-26 at 10:35 -0400, Stephen Smalley wrote:
>> On 05/25/2015 08:32 AM, Lukasz Pawelczyk wrote:
>>> --- Usage ---
>>> Smack namespace is written using LSM hooks inside user namespace. That
>>> means it's connected to it.
>>> To create a new Smack namespace you need to unshare() user namespace
>>> as usual. If that is all you do though, than there is no difference to
>>> what is now. To activate the Smack namespace you need to fill the
>>> labels' map. It is in a file /proc/$PID/smack_map.
>> This should be /proc/$PID/attr/label_map or similar, modeled after the
>> existing /proc/$PID/attr/current and similar nodes.  Then it isn't
>> module-specific and can be reused for other modules.
> To make this generic I'll have to introduce new LSH hooks to handle this
> file (much like /proc/$PID/attr/current).
> I take this is what you had in mind.

We don't have separate hooks for the
nodes.  Just one hook that passes the attribute name, and then the
security hook implementation can distinguish on that.

More information about the Containers mailing list