Casey Schaufler <[EMAIL PROTECTED]> writes: > --- "Eric W. Biederman" <[EMAIL PROTECTED]> wrote: > > >> My very practical question: How do I run selinux in one container, >> and SMACK in another? > > How would you run PREEMPT_RT in one container, and PREEMPT_DESKTOP > in another?
Well the style of kernel preemption is generally an implementation detail that is not visible to user space. > How would you run SMP in one and UP in the other? Bind all of the UP processes to a single cpu. > One aspect that SELinux and Smack share is that they only really > provide security if all processes involved are under their control, > just like the preemption behavior. Right. But in a container that look like a full system arguably this is doable. There are a few additional details that would be needed to ensure containers are isolated from each other that would be needed to ensure this is effective but those are fairly minor. > This is not necessarily true of all possible LSMs. In that case it may > be practicle to have different behavior for different containers. When we get to the point where this is a real concern I believe the isolation will be sufficient that this it is a valid question to ask. If there is nothing visible to user space I don't care. But security modules are fundamentally about changing when -EPERM happens so are very visible to user space. Eric - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
