richard offer wrote: > * If your modules can support allowed_to_open(), and my modules > * can deliberately skip implementing it, can we both go home happy? > > Yes, as long as you accept that your applications will only work on your system > and mine will only work on mine. Oh, and common apps such as sendmail, apache, > X need to support everbody's policies on a run-time basis.... "allowed_to_open()" already exists: it is called "access(2)". Say "man 2 access" for details. LSM modules should hook the access() syscall, so that they can answer the question according to current policy. Just exactly what each module does with the hook is up to them. For instance, a honeypot module may full well intend to lie to the access() request, if you want try to spoof the attacker into believing they're in an environment other than they think they are. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 12:57:45 PDT