Re: Port of secure fd handling to LSM

• Previous message: Stephen Smalley: "Re: Port of secure fd handling to LSM"
• In reply to: Greg KH: "Re: Port of secure fd handling to LSM"
• Next in thread: Greg KH: "Re: Port of secure fd handling to LSM"
• Next in thread: David Wagner: "Re: Port of secure fd handling to LSM"
• Reply: Greg KH: "Re: Port of secure fd handling to LSM"
• Reply: David Wagner: "Re: Port of secure fd handling to LSM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* frm gregat_private "08/06/01 18:39:50 -0700" | sed '1,$s/^/* /'
*
* On Mon, Aug 06, 2001 at 05:50:51PM -0700, richard offer wrote:
*> 
*> Can we have our fds in now please ? :-)
* 
* But didn't you just prove that they are not needed?  This patch doesn't
* need them.  I don't understand.

Back on Jul 24 Crispin said...

  *
  * So how about someone who is motivated to get fd's into the LSM patch 
  * (either SGI or someone else) port some subset of the Solar Designer
patch 
  * to the LSM+fd parms.  We will then have a very well motivated example
in 
  * hand should anyone in linux kernel space question this decision.
  *
  * And it will be cool :-)

You're right this policy does not in itself use fds. But the argument was
that fds are not useful for any policy. 

The policy could have been implemented by using the fd parameters to the
file_ops hooks and revoking access on read/write, but that would have meant
adding new hooks (open/post_open/close) and misleading since this was the
obvious way of implementing the policy (that's how Solar impemented it). I
was honest.

I can't win.


* 
*> OffTopic:
*>     Should we create a new de-facto standard directory for policies to be
*> located in the kernel tree ? It would make it easier if we all had a
*> single location for them... 
* 
* Good idea.  Anyone have a name that they like?

What about living in the security directory (where the config file is now).
Each in its own separate subdir ?

Perhaps they should be named <policy>_lsm.o to denote them as lsm modules
rather than any other type ? On an installed system, that would lead them
to be installed under /lib/modules/*/kernel/security/policy_lsm.o ?

* 
* greg k-h
* 

richard.

-----------------------------------------------------------------------
Richard Offer                     Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Greg KH: "Re: Port of secure fd handling to LSM"
• Previous message: Stephen Smalley: "Re: Port of secure fd handling to LSM"
• In reply to: Greg KH: "Re: Port of secure fd handling to LSM"
• Next in thread: Greg KH: "Re: Port of secure fd handling to LSM"
• Next in thread: David Wagner: "Re: Port of secure fd handling to LSM"
• Reply: Greg KH: "Re: Port of secure fd handling to LSM"
• Reply: David Wagner: "Re: Port of secure fd handling to LSM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 07:48:47 PDT