Re: [RFC] [PATCH] merge *_vm_enough_memory()s into a common helper
From: Nikita Danilov
Date: Tue Jan 04 2005 - 18:07:08 EST
"Serge E. Hallyn" <serue@xxxxxxxxxx> writes:
> The attached patch introduces a __vm_enough_memory function in
> security/security.c which is used by cap_vm_enough_memory,
> dummy_vm_enough_memory, and selinux_vm_enough_memory. This has
> been discussed on the lsm mailing list.
>
> Are there any objections to or comments on this patch?
>
> thanks,
> -serge
>
> Signed-off-by: Serge Hallyn <serue@xxxxxxxxxx>
>
[...]
> -
> - return -ENOMEM;
> + return __vm_enough_memory(pages,
> + (cap_capable(current, CAP_SYS_ADMIN) == 0));
I don't think that CAP_SYS_ADMIN is proper capability for this:
CAP_SYS_ADMIN is catch-all that should be used only when no other
capability covers action being performed. In this case CAP_SYS_RESOURCE
seems to be a better fit, after all __vm_enough_memory() controls access
to a resource, plus file systems use CAP_SYS_RESOURCE to protect disk
blocks reserved for "root".
> }
[...]
Nikita.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/