Casey Schaufler wrote: >Greg KH wrote: > >>Um, hooks that do nothing but let the module know what the kernel is >>doing at a point in time, don't seem to be under the lsm charter right >>now. Like David Wagner said, it smells like audit. >> >There are a lot of hooks which are useful for audit. Are you >going to take them out because of that? I would hope that the >goal here is "not to do audit" as opposed to "prevent audit >from being done". The fact that a hook might be useful for audit >ought not poison it when it's good for other purposes as well. > What Casey describes has always been my intent: that phase 1 should enable access control, and anything else that might happen is a bonus. I believe that Greg's post was a question looking for some access control justification for a hook that appears to supply simple notification of an event, which would normally be a "pure" audit feature. Our access control justification in this case is that we will use the notification to invalidate certification of a program's right to run. >I would also hope that we, as a group, could be just a touch >less judgemental regarding the uses others plan to put LSM >to. I don't much care what policy Steven, Crispin, or Greg >might want, but I do want y'all to be successful with LSM. > To reiterate the feature policy: we don't care what any module developer proposes to do with their module, but we won't add a feature to Phase 1 without an access control justification. Whether that is judgemental or not is a matter of perspective :-) With that out of the way, hopefully we can return to evaluating whether the community buys our AC justification for Seth's requested hook. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 09:39:25 PDT