Mercurial > illumos > fmac
changeset 7895:8e08c56c414c
[fmac-discuss] [PATCH] Simplify FMAC exec logic
With the change in the prior patch to the exec code path to also set the
process suid flags when fmac_execsetid is true (i.e. when execsetid
permission is not allowed between the old and new contexts), we can
simplify the FMAC processing in the exec code path. If we set
PRIV_INCREASE in the privflags when fmac_execsetid is true, then the
subsequent exec logic will set the linker security flag and the process
suid flags without requiring any further checking of fmac_execsetid. As
fmac_execsetid is no longer being used only to set the linker security
flag, the fmac_execsetid boolean is renamed to setprivinc, and the
"execsetid" FMAC permission is renamed to "noprivinc" (i.e. no need to
assert privilege increase protections on this domain transition). There
should be no actual change in behavior as a result, just an
implementation that fits better into the existing logic. This patch
applies on top of the prior one.
Webrev available at: http://cr.opensolaris.org/~sds/privinc/
author | Stephen Smalley <sds@tycho.nsa.gov>Internal Server Error |
---|