• Stephen D. Smalley's avatar
    [PATCH] SELinux: add dynamic context transition support to SELinux · c75bbce4
    Stephen D. Smalley authored
    This patch for adds dynamic context transition support to SELinux via writes
    to the existing /proc/pid/attr/current interface.
    
    Previously, SELinux only supported exec-based context transitions.  This
    functionality allows privileged applications to apply privilege bracketing
    without necessarily being refactored to an exec-based model (although such a
    model has advantages in least privilege and isolation).
    
    A process must have setcurrent permission to use this mechanism at all, and
    the dyntransition permission must be granted between the old and new security
    contexts.  Multi-threaded processes are not allowed to use this operation, as
    it will yield an inconsistency among the security contexts of the threads
    sharing the same mm.
    
    Ptrace permission is revalidated against the new context if the process is
    being ptraced.
    
    Author:  Darrel Goeddel <dgoeddel@trustedcs.com>
    Signed-off-by: default avatarStephen Smalley <sds@epoch.ncsc.mil>
    Signed-off-by: default avatarJames Morris <jmorris@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    c75bbce4
av_permissions.h 51.1 KB