On Wed, Aug 22, 2001 at 09:37:23AM -0400, Stephen Smalley wrote: > So, has anyone looked at the authoritative hooks patch yet? I am probably forgetting something obvious, but I can't recall why the change was suggested. Pro: jmjones would like it Cons: gives up a useful software engineering bug-resistence tool I vaguely recall that the discussion about authoritative hooks resurfaced at the same time SGI and WireX were at an impasse regarding the ordering of kernel checks and module checks. Crispin asked if the SGI team found your authoritative hooks useful for their own purposes, and I don't recall seeing any answer from the SGI team, nor do I recall any specific reasons why this would help SGI -- the kernel checks are still performed before calling the module's function; with this patch, the module is called no matter the kernel's opinion. I suppose that they could emulate the results of not performing the kernel checks through this technique, but the kernel checks will still get performed before calling the module. I'm sure someone at SGI would take the time to jump on this email if I were wrong in saying that this patch won't help SGI. :) I can't speak for "the official WireX position", but I would tend to think we would prefer to keep the bug resistent restrictive hooks in place. As for the actual patch itself, I didn't see anything wrong with it, if the decision is made to use authoritative hooks. :) Thanks Stephen. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 15:06:13 PDT