Chris Wright wrote: >* David Wagner (dawat_private) wrote: >> Chris Wright wrote: >> >2. Maintain current set of hooks and push logic out of the kernel and into >> >the module to avoid placing hooks in compound conditionals. >> >> Now I know that this assurance argument is going to inevitably become >> harder to verify with a LSM, but if we follow option #2, things really >> get nasty. To verify the assurance claim, one must examine all code >> *and verify that it includes a proper cut-and-pasted version of the base >> kernel logic*. Such verification is non-trivial, and my motto is that >> if it is non-trivial, it is probably wrong. > >I agree, if you catch yourself cutting and pasting something is wrong. >But I'm not convinced this method requires cutting and pasting. I think >it becomes an arguement in favor of module composition. Yes, I agree. If we are willing to re-open the issue of composition and consider how to handle composition, at least in the special cases needed to make #2 work, then my comments go away. In this case, #2 looks like a perfectly nice approach, one that -- assuming we can solve the associated composition problems -- I'd be happy to praise. I was operating under the perhaps mistaken assumption that module composition was off the table. Sorry about not being more explicit. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 17:30:19 PDT