Re: New LSM patch for consideration

From: Stephen Smalley (sdsat_private)
Date: Tue Jun 19 2001 - 05:24:04 PDT

  • Next message: jmjonesat_private: "Re: New LSM patch for consideration"

    On Tue, 19 Jun 2001, Shane Kerr wrote:
    
    > I guess my only question is:  Will "purely restrictive" hooks allow
    > modules that allow non-root users to bind privileged ports, chroot, and
    > possibly setuid/setgid?
    
    To be precise, the idea is that all of the LSM hooks other than
    capable() will be purely restrictive.  As soon as we arrive
    at a consensus on the right approach to moving capabilities
    out of the base kernel into a module, the base capable()
    function will once again be reduced to merely calling the
    LSM capable() hook, so a security module will be able to
    grant traditionally superuser privileges to non-superuser processes.
    The capabilities security module will be a module that provides this 
    kind of functionality. 
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 05:25:26 PDT