Re: linux-security-module digest, Vol 1 #80 - 12 msgs

From: David Wheeler (dwheelerat_private)
Date: Tue May 22 2001 - 18:16:15 PDT

  • Next message: jmjonesat_private: "Re: Extending a Security Module"

    Valdis.Kletnieksat_private said:
    > We may not want to support multiple modules at the moment, but we certainly
    > *do* want to take a *little* time and at least make sure that we do things
    > in a fashion that isn't actively hostile to deploying them at a later date.
    > We'd be remiss in not doing at least a "If we do it THIS way we can <handwave>
    > here and be done easily, but if we do it THAT way we'll have to <handwave>,
    > <wave dead chickens>, and <apply crowbars and high explosives> to fit it in
    > later"....
    I agree; I believe that having stackable modules (or at least knowing
    how to add them and anticipating them) is very important to making
    this work.  However, the stacking infrastructure can be quite simple.
    The "hooks" can be designed so that they only call one function,
    and if you want to stack functions, you first load a "multiplexor".
    The multiplexor can then implement a particular mixing policy.
    I know this has been previously discussed.
    Making it possible to combine smaller components to implement something
    complex is more than the "Unix way"; it's a well-established technique.
    True, this is kernelspace, but even in the kernel this is true.
    Indeed, the whole point of Linux modules is to make it possible to break
    a system down into smaller components.
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Tue May 22 2001 - 18:17:30 PDT