YAMAMOTO Takashi wrote:
>>>>>> proc_isunder() should be in the secmodel.
>>>>> do you mean chroot(8) should be a part of secmodel?
>>>> it already kinda is. we don't provide any context (yet) but there is
>>>> a chroot action. I would like to move proc_isunder() to the secmodel
>>>> code, yes.
>>> i don't see how it could be done efficiently.
>> are you talking about the entire chroot mechanism or just chroot
>> enforcement for the four subsystems in question?
> 
> the former.

we'll cross that bridge when we get to it. ;)

do you want me to put proc_isunder() back in the callers rather than the
secmodel for now? I don't have a strong opinion about that.

also, other than the above, is it okay to commit?

-e.

-- 
Elad Efrat