Re: permissive vs. restrictive issue and solutions...

• Previous message: Casey Schaufler: "Re: permissive vs. restrictive issue and solutions..."
• In reply to: sarnoldat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: Valdis.Kletnieksat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: Stephen Smalley: "Re: permissive vs. restrictive issue and solutions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 1 Jun 2001 sarnoldat_private wrote:

> Yeah, option number two sounds fine to me, though I am not enamoured
> with it. (Primarily because each module author will either need to
> duplicate the functionality of the current kernel checks, or will need
> to chain modules together. Worse things have happened, though. :)

"Limited stackable" or "Chained" is now possible, and with a tiny bit 
of refinement in the distant future, very practical.  That eliminates
a lot of *required* duplication of effort, and if you're writing a "whole
ball of wax" module the small amount of logic that will move out is probably
going to be insignificant to the total weight of the project, imho.  If 
not, it would likely be easy to build common code that can be "sucked"
into module code and modified at will...

I'm not overly comfortable with the presupposition that making
module developers think through more things and code it is a bad 
thing (spoken as a "budding LSM developer")... differing solutions are to
be valued, and to get them you need to create some "surmountable"
problems.  Security is not "easy" stuff. It requires serious thought,
planning, and research.  The more of the picture that ends up in the
module development project, the better, in my view.

Then again, I've "yet to code" (factor 10), and there are "gotta PORT"
projects that may see the exact opposite view.

Removing the need for module developers to think about it by keeping
some decisions in the kernel as "sacred"... guarentees fewer "flashes of
brilliance" without fighting to make the LSM interface patch include it,
such as the post that started this discussion moving.

Rallying Cry: MOVE IT TO THE MODULE!

> 
> Cheers
> 

Salut!
J. Melvin Jones

|>------------------------------------------------------
||  J. MELVIN JONES            jmjonesat_private 
|>------------------------------------------------------
||  Microcomputer Systems Consultant  
||  Software Developer
||  Web Site Design, Hosting, and Administration
||  Network and Systems Administration
|>------------------------------------------------------
||  http://www.jmjones.com/
|>------------------------------------------------------




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Previous message: Casey Schaufler: "Re: permissive vs. restrictive issue and solutions..."
• In reply to: sarnoldat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: Valdis.Kletnieksat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: Stephen Smalley: "Re: permissive vs. restrictive issue and solutions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 11:11:33 PDT