Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

From: TomÃÅ Trnka
Date: Tue Dec 12 2017 - 10:45:00 EST

Next message: Georgi Djakov: "Re: [PATCH v3 1/3] interconnect: Add generic on-chip interconnect API"
Previous message: Markus Heiser: "Re: [PATCH] docs: fix, intel_guc_loader.c has been moved to intel_guc_fw.c"
In reply to: TomÃÅ Trnka: "System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux"
Next in thread: Kees Cook: "Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Of course this can be somewhat worked around by adjusting the SELinux policy
> (allowing blanket noatsecure permission for init_t and possibly others) or
> by pam_limits (for components using PAM).

Correction: pam_limits also usually doesn't help here, as it's often followed
by another secureexec (for example when login (local_login_t) executes the
shell with transition to unconfined_t).

2T

Next message: Georgi Djakov: "Re: [PATCH v3 1/3] interconnect: Add generic on-chip interconnect API"
Previous message: Markus Heiser: "Re: [PATCH] docs: fix, intel_guc_loader.c has been moved to intel_guc_fw.c"
In reply to: TomÃÅ Trnka: "System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux"
Next in thread: Kees Cook: "Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]