On Wed, 6 Jun 2001, Chris Lundberg wrote: > Chris (Other Chris): Move kernel logic into a default security module. > Chain (or in some VERY restricted cases replace) onto that default module > for everyone elses modules. Could you clarify what you mean by "kernel logic"? (Same question to each person who is advocating moving the kernel logic into the modules). For example, does "kernel logic" include all >500 calls to capable(), including cases where capable() is called by itself rather than being in compound logic? Or would you be satisfied simply to have the compound logic statements plus the guts of the capable function in the module, leaving many of the simple capable() calls unchanged? Also, what part of permission() constitutes "kernel logic"? Is it just the vfs_permission logic? What about when the file system implementation defines its own permission routine for its inodes? Does "kernel logic" just mean the call to inode->i_op->permission, or does it mean all of the permission routines in the various filesystem implementations? -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 10:28:31 PDT