* frm sarnoldat_private "08/22/01 15:04:20 -0700" | sed '1,$s/^/* /' * * On Wed, Aug 22, 2001 at 09:37:23AM -0400, Stephen Smalley wrote: *> So, has anyone looked at the authoritative hooks patch yet? * * I am probably forgetting something obvious, but I can't recall why the * change was suggested. * * Pro: * jmjones would like it * Cons: * gives up a useful software engineering bug-resistence tool * * I vaguely recall that the discussion about authoritative hooks * resurfaced at the same time SGI and WireX were at an impasse regarding * the ordering of kernel checks and module checks. Crispin asked if the * SGI team found your authoritative hooks useful for their own purposes, * and I don't recall seeing any answer from the SGI team, nor do I recall * any specific reasons why this would help SGI -- the kernel checks are * still performed before calling the module's function; with this patch, * the module is called no matter the kernel's opinion. I suppose that they * could emulate the results of not performing the kernel checks through * this technique, but the kernel checks will still get performed before * calling the module. Right, but the module has the option of both recording the kernel result (audit) and interposing MAC checks between DAC ones (if our module decides to re-implement DAC code in the module---definetly not ideal but there maybe situations where this would be a useful). * * I'm sure someone at SGI would take the time to jump on this email if I * were wrong in saying that this patch won't help SGI. :) We really like this patch (and again thank Stephen both for sending it again, and taking the time to update it to TOT). Preliminary investigation shows that its useful as it is (ie even without the authoritative placement in the hard-to-fix places, since those are indeed, hard-to-fix). * I can't speak * for "the official WireX position", but I would tend to think we would * prefer to keep the bug resistent restrictive hooks in place. * * As for the actual patch itself, I didn't see anything wrong with it, * if the decision is made to use authoritative hooks. :) * * Thanks Stephen. richard. ----------------------------------------------------------------------- Richard Offer Technical Lead, Trust Technology, SGI "Specialization is for insects" _______________________________________________________________________ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 15:38:04 PDT