Re: Possible system call interface for LSM

From: jmjonesat_private
Date: Fri Aug 10 2001 - 19:55:32 PDT

  • Next message: Jesse Pollard: "Re: Possible system call interface for LSM" 

    On Fri, 10 Aug 2001, Crispin Cowan wrote:

> jmjonesat_private wrote:
> 
> > On Fri, 10 Aug 2001, Crispin Cowan wrote:
> > > I believe that the argumenthere is that the compute cost of an extra
> > > parameter is paid by all modules on every call to the LSM syscall, vs. a
> > > one-time cost of accessing a pseudo-file to identify a module.  The file
> > > access is slower, but occurs much less often, off the critical path.
> >
> > Relegate this to testing?  By the time it's tested, it'll be so deep in
> > LSM that it will be a whole NEW argument to get it out.  I have been
> > burned by this idea before and would rather not "sit tight" on it again.
> > (just me.)
> 
> One of us is confused :-)  I don't know what you mean by "relegate this
> to testing".  I believe that we are all in agreement that there needs to
> be some way for an app to test if a given module is present, and we're
> discussing how best to do it. 

Most of us?  Beats me.  5 out of 400 is not a majority.

I agree there needs to be a means of testing.  I don't agree it has to be
addressed by the LSM interface.

What I fear is the "RELEGATE THIS TO TESTING" argument.  It works, but
nobody ever tests... and, if they did, the requirment would be to "prove
it has to come out" rather than "prove it should be in"

Hands up, who's testing?

These are different requirements.

> 
> Crispin
> 
> --
> Crispin Cowan, Ph.D.
> Chief Scientist, WireX Communications, Inc. http://wirex.com
> Security Hardened Linux Distribution:       http://immunix.org
> Available for purchase: http://wirex.com/Products/Immunix/purchase.html
> 

J. Melvin Jones

|>------------------------------------------------------
||  J. MELVIN JONES            jmjonesat_private 
|>------------------------------------------------------
||  Microcomputer Systems Consultant  
||  Software Developer
||  Web Site Design, Hosting, and Administration
||  Network and Systems Administration
|>------------------------------------------------------
||  http://www.jmjones.com/
|>------------------------------------------------------





_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 19:56:38 PDT