Re: Making forward progress

From: Stephen Smalley (sdsat_private)
Date: Mon Aug 06 2001 - 10:15:03 PDT

  • Next message: Crispin Cowan: "Re: Making forward progress"

    On Mon, 6 Aug 2001 jmjonesat_private wrote:
    > 1) the more patches/work that get done within the "restrictive_only"
    > model, the more work have to do here to convert from "restrictive_only" to 
    > authoritative.
    Moving DAC to a module is not the same thing as authoritative hooks.
    I think that Crispin sent a note to Ted asking about moving DAC
    to a module, not about authoritative hooks vs. restrictive hooks.  
    With regard to authoritative hooks, it isn't really true that
    there is any conflict between the ongoing work and what is needed
    for authoritative hooks.  In fact, moving the existing hook calls
    after the DAC logic (which I did for permission in my recent
    patch and I have just done for setattr, ptrace, setnice, setpgid,
    and setscheduler) makes it easier to convert to authoritative hooks.
    The other tasks I suggested in my original message in this thread 
    don't really help with regard to authoritative hooks, but they
    don't make it any harder to change to them, and they certainly
    improve the overall quality of LSM. 
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 10:16:30 PDT