Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux

From: TomÃÅ Trnka
Date: Tue Dec 12 2017 - 14:36:26 EST

Next message: Al Viro: "Re: [RFC][PATCH] new byteorder primitives - ..._{replace,get}_bits()"
Previous message: Paul E. McKenney: "Re: [PATCH] ARM: CPU hotplug: Delegate complete() to surviving CPU"
In reply to: Kees Cook: "Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux"
Next in thread: Laura Abbott: "Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tuesday, 12 December 2017 20:23:47 CET Kees Cook wrote:
> This is an interesting state for the system to be in, though, it means
> AT_SECURE is being set for virtually all processes too? I would expect
> that might break a lot too (but clearly it hasn't).

Not really. AT_SECURE is set only for the exec that triggers a domain
transition, but unlike the rlimits it's not inherited by descendants (as long
as they stay within the same SELinux domain).

2T

Next message: Al Viro: "Re: [RFC][PATCH] new byteorder primitives - ..._{replace,get}_bits()"
Previous message: Paul E. McKenney: "Re: [PATCH] ARM: CPU hotplug: Delegate complete() to surviving CPU"
In reply to: Kees Cook: "Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux"
Next in thread: Laura Abbott: "Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]