jmjonesat_private wrote: > If the idea was to provide information only to the in-module checks > without allowing it to override the result authoritatively by allowing > permission where there was none, a kludge might be something like: > > int rv1 = 0, rv2=0; > > if (... in-kernel check fails...) > rv1 = -EPERM; > > rv2 = security_ops->hook(rv1, ...); > > if (rv2) return rv2; > if (rv1) return rv1; > ... > Other than allowing the module to override a restriction with a > permission, does this represent a "restrictive_only" compromise that > might be useful to anybody? Allowing the module to override a restriction with a permission is precisely what makes it an authoritative hook. Your proposal has no advantages over Wagner's that I can see (it appears to be semantically equivalent) and is more complex. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 14:49:31 PDT