On Sat, Sep 01, 2001 at 06:46:36PM -0400, jmjonesat_private wrote: > I don't have any specific response to this assertion, but, respectfully, > ask for someone (even Greg ;)) to clarify "the direction LSM is heading", > hopefully with regard to: My opinions: > 1) authoritative hooks: YES, NO, CONDITIONAL (how?) No. I've already talked about why I feel this way. Please see the archives. > 2) DAC bypass (as an option), YES, NO, CONDITIONAL (how?) Do you mean the MAC before DAC discussion? Personally I don't care. But I like the current DAC before MAC implementation that LSM seems to follow. > 3) Support for loadable modules NOT compiled into the kernel (I've > seen some "not an issue because we're suggesting compiling in" > discussions that have short-circuited (perhaps not intentionally) > issues that may be relevant to allowing a module to slide into > a system that has run for a while before the module is loaded. > > YES, NO, CONDITIONAL (how?) Yes. This support is there right now. You just have to get the logic correct in your module, being able to handle the tasks and other objects that were created before your module was loaded. And if you want to recommend that your module be compiled into the kernel (like SELinux does) that's your option. > I'm dealing with developers in my project that insist that it may be > necessary for us to "branch", and create a patch that removes LSM and > reapplies a specific patch to the kernel to address our functionality. > I'd rather not go that direction, but a few things that may be necessary > are probably going to need a "plus-patch", and some other things that are > admittedly possible, but require significant "manipulation" with the > current patch may be better done with "plus-patches." A branch of a patch, and I thought I had heard of everything :) Fine, all the lsm work is opensource, and if it doesn't meet your needs in certain ways, feel free to change it for your own usages. Just respect the current license and everyone will be happy. Did this help? thanks, greg k-h _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sat Sep 01 2001 - 15:57:35 PDT