> Furthermore, I don't know if requiring the module to support such query > interfaces is a good idea either -- the policy a module may desire to > implement may wish to restrict this sort of information. Requiring the > module to support query interfaces would leak this information, going > against the module's design policy. Hmm... I was thinking about this and I am not sure I totally agree with it. The logic here is that a security policy designer may not want to let the user know whether they have access to opening a file. But, the user could at anytime try and open a file and fail -- giving away the same information. However, this leads me to believe that we don't need an extra "access()" style interface, because in a sense it already exists. I don't think we should introduce *linux kernel ONLY* functions that aren't standard *IF* we don't have too. I agree with Chripin that we have some liberty with what we add, but we shouldn't use that liberty when we don't have to (IMO.) Those are my two cents. Kurt P. Hundeck PS: I am Canadian, so I realize how little my two cents are REALLY worth. ;-) _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 16:56:52 PDT