Chris Wright wrote: > i guess i prefer the approach in option 2, but perhaps option 3 is more > likely to be accepted in to the kernel. > > thoughts from the list? other options? Another option we discussed in a meeting this afternoon was "kick capabilities out". All of the security modules we (WireX) understand are "restrictive", and only capabilities is "permissive". If we kick capabilities out of the picture, LSM gets simpler. "Kick capabilities out" also comes in two flavors. One is to leave it in the kernel, rather than make it an LSM module. The other is to kick it right out of Linux, because the POSIX standard has failed, support for Capabilities in Linux is lame, and we think it sucks anyway :-) As with some other options, this may be a hard sell. But I think it deserves serious consideration. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com//Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 22:53:28 PDT