Re: Making forward progress

From: Valdis.Kletnieksat_private
Date: Fri Aug 03 2001 - 09:45:56 PDT

  • Next message: Stephen Smalley: "Re: Making forward progress"

    On Fri, 03 Aug 2001 12:38:25 EDT, Stephen Smalley said:
    > I think you're taking Linus' statements out of context.  By "policy",
    > I think he was referring back to his statement about "uid==0" vs.
    > capabilities vs. TE vs. MLS...  Again, this is not about the existing
    > kernel DAC logic.
    What Linus said in the next paragraph (if Crispin Cowan cited him correctly:
    > and then just have a opaque per-security-model security ID thing scattered
    > around in critical places (the obvious being the thread structure, files,
    > directory cache, inodes, etc). And instead of having _any_ policy at all,
    > the kernel would just call the security procedure. Which might choose to
    > fail (-EFASCIST) or might choose to return success but silently downgrade
    > the security of the process that does the action, or whatever.
    "the kernel would just call the security procedure".
    That *certainly* sounds like he'd be at least willing to *consider* moving
    *all* the current euid==0/capability/etc checking off into a module.
    By *my* reading, Linus is at least open to moving it *all* off to authoritative
    				Valdis Kletnieks
    				Operating Systems Analyst
    				Virginia Tech

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private

    This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 09:47:32 PDT