richard offer wrote:
> * Not that I think this is a bad idea, largely, but I think it has been
> * "argued down" for many reasons. Even eliminating the "simple-assurance"
> * argument, there is the issue of "kernel invasion". Do you have a response
> * to that argument?
>
> I suppose you want something more than its the right thing to do ? :-)
I believe it to be completely infeasible to ever consider moving the kernel
security logic into a module. In-kernel security logic ("DAC" for short :-) is
deeply intertwined with lots of other non-security code. Teasing it apart
would be a Herculean task (complete with shoveling loads of crap :-) and is
fraught with error. As a result, the kernel group is highly likely to reject
such a proposal.
So no, moving the in-kernel/DAC logic to a module was not what I was proposing,
and it is unlikely to ever be considered. That's not a dictatorial rule, but
IMHO, it is practical advice.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
_______________________________________________
linux-security-module mailing list
linux-security-module@wirex.com
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 19:13:23 PDT