On Mon, 20 Aug 2001, Evan Sarmiento wrote: > this surely is not a FreeBSD hook mailing list, but perhaps you'd be interested to compare, and I'd be > glad to hear your feedback. One thing I added in my hooks implementation is the ability to have > per-process hooks, for example, you might have process A return EPERM when it tries to setuid(), > and you can tell process B that it can only use SOCKET() if it is PF_LOCAL. These rules > also propagate through children. Linus originally mentioned the possibility of per-process hooks in his message that led to the creation of the LSM project. However, per-process hooks are problematic for a number of reasons, e.g.: 1) How do you deal with operations that occur outside of process context, such as network input operations? 2) How do you deal with operations between processes, such as signal delivery, where you may have two different sets of hooks for each process? -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 07:20:54 PDT