> >>>> proc_isunder() should be in the secmodel.
> >>> do you mean chroot(8) should be a part of secmodel?
> >> it already kinda is. we don't provide any context (yet) but there is
> >> a chroot action. I would like to move proc_isunder() to the secmodel
> >> code, yes.
> > 
> > i don't see how it could be done efficiently.
> 
> are you talking about the entire chroot mechanism or just chroot
> enforcement for the four subsystems in question?

the former.

YAMAMOTO Takashi