Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752255AbdLLPo5 (ORCPT <rfc822;w@1wt.eu>);
        Tue, 12 Dec 2017 10:44:57 -0500
Received: from ext4.scm.com ([138.201.125.236]:36424 "EHLO ext4.scm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752253AbdLLPo4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Dec 2017 10:44:56 -0500
From: =?utf-8?B?VG9tw6HFoQ==?= Trnka <trnka@scm.com>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>
Subject: Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux
Date: Tue, 12 Dec 2017 16:44:52 +0100
Message-ID: <1669126.Pey9B8WxsI@electra>
In-Reply-To: <4229475.4Lp8rLWMsd@electra>
References: <4229475.4Lp8rLWMsd@electra>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 400
Lines: 9

> Of course this can be somewhat worked around by adjusting the SELinux policy
> (allowing blanket noatsecure permission for init_t and possibly others) or
> by pam_limits (for components using PAM).

Correction: pam_limits also usually doesn't help here, as it's often followed 
by another secureexec (for example when login (local_login_t) executes the 
shell with transition to unconfined_t).

2T