Re: [PATCH] Authoritative hooks

From: jmjonesat_private
Date: Thu Aug 23 2001 - 09:41:21 PDT

  • Next message: Valdis.Kletnieksat_private: "Re: [PATCH] Authoritative hooks" 

    On Thu, 23 Aug 2001, Greg KH wrote:

> On Thu, Aug 23, 2001 at 08:05:19AM -0400, Stephen Smalley wrote:
> > 
> > The size and cleanliness of the patch
> > could affect acceptability by the kernel developers, so that may be
> > a real concern.
> 
> That is a real concern at this point.  Keeping the original patch small
> and "obvious" is very important.
> 
> I like Crispin's "roadmap".  After we get the original hooks in the
> kernel, then we can move on to possibly changing them to a format like
> this patch if people want them (and it looks like people do.)
> 
> Sound ok?

It sounds less okay than the approach under consideration now.

The idea under consideration seems to be "where obviously possible and
useful", leaving the "very-hard" places restrictive_only.  

This strategy minimizes the "size and cleanliness" impact of the change
and allows audit and MAC/DAC precedence to be implemented in the module
NOW, enhancing the functionality and "true generality" of the interface.
This rides on the "pro" side of the scale, reducing the list of "can't 
do issues" by a relatively large margin without going hog-wild and messing
up the kernel too much.

I'm hoping SGI and/or others will provide more detailed analysis of "is
this enough" before a decision is made to commit to this strategy, but it
appears to be quite a valuable idea, to me.
 
> 
> thanks,
> 
> greg k-h
> 

J. Melvin Jones

|>------------------------------------------------------
||  J. MELVIN JONES            jmjonesat_private 
|>------------------------------------------------------
||  Microcomputer Systems Consultant  
||  Software Developer
||  Web Site Design, Hosting, and Administration
||  Network and Systems Administration
|>------------------------------------------------------
||  http://www.jmjones.com/
|>------------------------------------------------------






_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

    This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 09:43:03 PDT