Re: Where Are We?

From: Chris Wright (chrisat_private)
Date: Mon Jun 11 2001 - 10:59:35 PDT

  • Next message: Chris Vance: "Need opinion on IPC structures"

    * David Wagner (dawat_private) wrote:
    > Stephen Smalley  wrote:
    > >3) In some cases, we may add other LSM hooks to operations that are
    > >already authoritatively controlled by capable() in order to 
    > >provide finer-grained distinctions than are possible with the
    > >capable() calls.  But we try to leverage the existing capable() calls 
    > >to the greatest extent possible, only introducing these finer-grained
    > >hooks where we have a clear argument that the capable() call is
    > >inadequate.
    > 
    > I'm not too certain about this one.  How often is capable() used
    > authoritatively?  My impression is that capable() is usually used
    > in contexts where it is permissive rather than authoratitive---am
    > I wrong?
    
    My Super Advanced Grep Teet (TM) shows capable being called ~550 times.
    In ~410 cases, the calls are "authoritative."  In this context, that means
    ~410 calls are not embedded with any other access control logic.
    
    -chris
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Jun 11 2001 - 11:03:25 PDT