On Tue, Jul 31, 2001 at 05:29:06PM -0700, richard offer wrote:
> I thought we agreed to not call it MAC/DAC sequence, but module/in-kernel
> sequence :-)
Aye, but old habits die hard, and this habit has been going on for
weeks. :)
> I thought that being fully authoritative using a single hook implied moving
> current kernel logic out into a module. There would be no issues with
> module/in-kernel sequence since there would be no in-kernel.
You are assuming replacing the entire in-kernel logic with hooks to
module calls. The easy way to use what we have done so far is to change
each instance of
if (!(kernel logic))
security_ops->voodoo();
into
retval = kernel logic;
security_ops->voodoo(retval);
We could do something more like this:
security_ops->voodoo()
where security_ops->voodoo() {
our check;
kernel check;
}
-or- security_ops->voodoo() {
kernel check;
our check;
}
In the case of keeping the kernel logic where it is and passing in the
return values, the easiest (and smaller patch :), the kernel logic must
be done before the policy-specific logic, which is the SGI problem.
Moving the kernel logic into the module will allow SGI to fix this
problem; however, the size of the patch is quite likely to expand as
kernel logic is pulled from the kernel wholesale, and we then have the
various modules duplicating kernel checks -- and the mess that brings
with it for maintenance.
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 17:59:44 PDT