Hello, I think you might be a little confused. PRFW also provides hooks that affect the entire system as well. So you could remedy this situation using PRFW. (You could even make your own per-pid restriction mechanism if you wanted, I just included it for the convenience of module developers} Thanks, Stephen Smalley writes: > > On Mon, 20 Aug 2001, Evan Sarmiento wrote: > > > this surely is not a FreeBSD hook mailing list, but perhaps you'd be interested to compare, and I'd be > > glad to hear your feedback. One thing I added in my hooks implementation is the ability to have > > per-process hooks, for example, you might have process A return EPERM when it tries to setuid(), > > and you can tell process B that it can only use SOCKET() if it is PF_LOCAL. These rules > > also propagate through children. > > Linus originally mentioned the possibility of per-process hooks in his > message that led to the creation of the LSM project. However, per-process > hooks are problematic for a number of reasons, e.g.: > > 1) How do you deal with operations that occur outside of process > context, such as network input operations? > > 2) How do you deal with operations between processes, such as > signal delivery, where you may have two different sets of hooks > for each process? > > -- > Stephen D. Smalley, NAI Labs > ssmalleyat_private > > > > > > _______________________________________________ > linux-security-module mailing list > linux-security-moduleat_private > http://mail.wirex.com/mailman/listinfo/linux-security-module -- ----------------------------------- Evan Sarmiento | www.open-root.org emsat_private | www.sekt7.org/~ems/ ----------------------------------- _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 11:54:48 PDT