Casey Schaufler <casey@schaufler-ca.com> writes:

quoted text
> --- "Eric W. Biederman" <ebiederm@xmission.com> wrote:
>
>
>> My very practical question:  How do I run selinux in one container,
>> and SMACK in another?
>
> How would you run PREEMPT_RT in one container, and PREEMPT_DESKTOP
> in another?

Well the style of kernel preemption is generally an implementation
detail that is not visible to user space.

quoted text
> How would you run SMP in one and UP in the other?
Bind all of the UP processes to a single cpu.

quoted text
> One aspect that SELinux and Smack share is that they only really
> provide security if all processes involved are under their control,
> just like the preemption behavior.

Right.  But in a container that look like a full system arguably this
is doable.  There are a few additional details that would be needed
to ensure containers are isolated from each other that would be
needed to ensure this is effective but those are fairly minor.

quoted text
> This is not necessarily true of all possible LSMs. In that case it may
> be practicle to have different behavior for different containers.

When we get to the point where this is a real concern I believe the
isolation will be sufficient that this it is a valid question to
ask.

If there is nothing visible to user space I don't care.  But security
modules are fundamentally about changing when -EPERM happens so are
very visible to user space.

Eric
-
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/