Re: LSM Patch Additions for CAPP (C2) Audit Trails

From: jmjonesat_private
Date: Sat Jul 07 2001 - 11:09:11 PDT

  • Next message: LA Walsh: "Hooks, authority, MAC, the future and proposol"

    On Fri, 6 Jul 2001, Crispin Cowan wrote:
    
    > Stephen Smalley wrote:
    > 
    > > Could you clarify about the capabilities module?  From your description
    > > above, it sounds like Ted agreed that we shouldn't move the base
    > > kernel logic out to a module, but it isn't clear if that also
    > > includes the core capabilities logic.  If Ted indicated that we
    > > shouldn't move even the core capabilities logic out into a module,
    > > then we need to revert those changes, because we have already moved
    > > some of that logic.
    > 
    > I think he meant that moving the capabilities logic was ok.  You can check with
    > Pete Loscocco, who was also at the lunch.
    
    Wow.  I didn't read THAT into your statement at all... sorry.
    
    Okay, can we separate capabilities from "other" in some way, and 
    discuss ONLY capabilities for a moment...
    
    I've heard (off list) some opinions that suggest that capabilities 
    calls should be authoritative rather than restrictive.  As Chris Wright 
    pointed out, we're "capturing a [more permissive] model" with
    capabilities.
    
    Is there any feeling with regard to presenting a capabilities subset of
    hooks to the LSM interface that is defined as authoritative?
    
    For the purpose of "verification" and responding to the general consensus
    that "restrictive placement is best", I'd mentally separated capabilities
    (more permissive (largely)) from the "core hooks."  While a
    capabilities_plug type module could use the "core hooks", I think there's
    a more permissive need to support such a module.
    
    I request that we more narrowly/clearly define when permissivness is
    allowable.
     
    J. Melvin Jones
    
    |>------------------------------------------------------
    ||  J. MELVIN JONES            jmjonesat_private 
    |>------------------------------------------------------
    ||  Microcomputer Systems Consultant  
    ||  Software Developer
    ||  Web Site Design, Hosting, and Administration
    ||  Network and Systems Administration
    |>------------------------------------------------------
    ||  http://www.jmjones.com/
    |>------------------------------------------------------
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Sat Jul 07 2001 - 11:10:28 PDT