On Mon, 8 Oct 2001, Chris Wright wrote: > yes, as greg mentioned, i don't think this is a problem. the only real > challenge with conditional compilation is making it Do The Right Thing > (TM). since we have taken real kernel access control logic and pushed > it into the dummy or capabilities modules, we'd need to make sure the > conditional compile actually handled those cases correctly. Well, logically, it would seem that the absurd end of spectrum is to leave the thing as a patch... that's completely conditional, and still solidly useful, but more difficult for the LSM group to maintain. I still don't think it's necessary to be able to extricate LSM *if* it is part of the actual kernel tree. The cost for the dummy calls is just not that high (a sign, IMHO, that the "minimal impact" objective has been well addressed.) They also are located in many interesting spots, and may have uses other than the claimed purpose. On a more hopefully helpful note, would it be acceptable to build a conditional that converts the hooks containing logic in the dummy/capable module to direct calls to the relocated code in one swoop DIRECTLY, without the indirection of the security_ops structure, or is it necessary to put that logic BACK on the "flip of a switch."? #ifndef LSM_OUT #then hook(...) #else cap_hook(...) #endif Only for the plug-functional functions? If the conditionals can't be IN the kernel code, then just hardwiring the indirection in security.h would seem fairly straighforward. Leave out register/unregister for security.c and assign the calls directly on the LSM_OUT case... we're not out "squeaky clean" but still are out and have focussed attention on the capabilities code in a single location, which might also be useful, even in a non-LSM kernel. Not Sure I Clearly Stated That, But: how much OUT is contemplated? J. Melvin Jones > > -chris > |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Oct 08 2001 - 11:55:37 PDT