On Mon, 6 Aug 2001 jmjonesat_private wrote: > 1) the more patches/work that get done within the "restrictive_only" > model, the more work have to do here to convert from "restrictive_only" to > authoritative. Moving DAC to a module is not the same thing as authoritative hooks. I think that Crispin sent a note to Ted asking about moving DAC to a module, not about authoritative hooks vs. restrictive hooks. With regard to authoritative hooks, it isn't really true that there is any conflict between the ongoing work and what is needed for authoritative hooks. In fact, moving the existing hook calls after the DAC logic (which I did for permission in my recent patch and I have just done for setattr, ptrace, setnice, setpgid, and setscheduler) makes it easier to convert to authoritative hooks. The other tasks I suggested in my original message in this thread don't really help with regard to authoritative hooks, but they don't make it any harder to change to them, and they certainly improve the overall quality of LSM. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 10:16:30 PDT