On Thu, 2 Aug 2001 Valdis.Kletnieksat_private wrote: > However, one of the reasons for rejecting authoritative hooks (simple > assurance) has since been re-examined and found to have some issues, which > although not *obviously* fatal, are at least sufficient to require some > re-discussion - even if we wish to continue on the path we currently are, > we need to at least be able to say "we considered the new evidence and > decided to not change our minds". Given that there has been at least one > concrete proposal by jmjones that would provide a stackable module on top > of authoritative hooks that would provide at least a large chunk of what > simple assurance was supposed to buy us, some pondering is needed... As I mentioned in my message, the fact that the modules can modify structure fields and cause side effects was not news. Furthermore, even if you copy structures, a module can always modify state in the current task (and in fact, many real modules will do exactly this, e.g. to revoke access to file descriptors when a domain changes across an execve). Additionally, a module is free to change kernel data, regardless of whether you happen to pass it explicitly or not. So there is nothing new here to motivate a change in LSM. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 11:29:06 PDT