Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752479AbdLLTgW (ORCPT ); Tue, 12 Dec 2017 14:36:22 -0500 Received: from ext4.scm.com ([138.201.125.236]:53886 "EHLO ext4.scm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752279AbdLLTgT (ORCPT ); Tue, 12 Dec 2017 14:36:19 -0500 From: =?utf-8?B?VG9tw6HFoQ==?= Trnka To: Kees Cook Cc: LKML , Stephen Smalley , Paul Moore , Linus Torvalds , Laura Abbott Subject: Re: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux Date: Tue, 12 Dec 2017 20:36:15 +0100 Message-ID: <4264998.bHD3OVdLUx@electra> In-Reply-To: References: <4229475.4Lp8rLWMsd@electra> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 460 Lines: 10 On Tuesday, 12 December 2017 20:23:47 CET Kees Cook wrote: > This is an interesting state for the system to be in, though, it means > AT_SECURE is being set for virtually all processes too? I would expect > that might break a lot too (but clearly it hasn't). Not really. AT_SECURE is set only for the exec that triggers a domain transition, but unlike the rlimits it's not inherited by descendants (as long as they stay within the same SELinux domain). 2T