Re: permissive vs. restrictive issue and solutions...

From: David Wagner (dawat_private)
Date: Thu May 31 2001 - 19:43:12 PDT

  • Next message: Stephen Smalley: "Re: sys_setpriority error"

    Chris Wright  wrote:
    >1.  Add separate hooks to explicitly allow both permissive and
    >restrictive policies.
    >
    >  this allows for flexibility at the expense of simplicity in the interface
    >  (as well as the kernel code since we'd be adding the hooks).
    
    This does not need to affect the simplicity of the kernel code.
    
    Consider the following design: The kernel exports security_ops->foo_hook
    to a multiplexor module (via whatever interface makes the kernel code
    cleanest); the multiplexor module allows policy modules to hook into one
    or more of foo_restrictive_hook and foo_permissive_hook (via whatever
    interface makes policy module code cleanest).
    
    Moreover, it is not clear that this costs anything in the interface to
    the policy modules.  We might expect that many policy modules will be
    either permissive or restrictive, but not both, and such modules will
    have a clean interface.
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu May 31 2001 - 19:46:29 PDT