Re: [RFC] 2.4.11-pre4 patch

From: jmjonesat_private
Date: Mon Oct 08 2001 - 11:54:43 PDT

  • Next message: jmjonesat_private: "Re: [RFC] 2.4.11-pre4 patch"

    On Mon, 8 Oct 2001, Chris Wright wrote:
    
    > yes, as greg mentioned, i don't think this is a problem.  the only real
    > challenge with conditional compilation is making it Do The Right Thing
    > (TM).  since we have taken real kernel access control logic and pushed
    > it into the dummy or capabilities modules, we'd need to make sure the
    > conditional compile actually handled those cases correctly.
    
    Well, logically, it would seem that the absurd end of spectrum is to leave
    the thing as a patch... that's completely conditional, and still solidly
    useful, but more difficult for the LSM group to maintain.
    
    I still don't think it's necessary to be able to extricate LSM *if* it is
    part of the actual kernel tree.  The cost for the dummy calls is just not
    that high (a sign, IMHO, that the "minimal impact" objective has been well
    addressed.)  They also are located in many interesting spots, and may have
    uses other than the claimed purpose.
    
    On a more hopefully helpful note, would it be acceptable to build a
    conditional that converts the hooks containing logic in the dummy/capable
    module to direct calls to the relocated code in one swoop DIRECTLY,
    without the indirection of the security_ops structure, or is it
    necessary to put that logic BACK on the "flip of a switch."?
    
    #ifndef LSM_OUT
    #then
      hook(...)
    #else
      cap_hook(...)
    #endif
    
    Only for the plug-functional functions?  If the conditionals can't be IN
    the kernel code, then just hardwiring the indirection in security.h would
    seem fairly straighforward.
    
    Leave out register/unregister for security.c and assign the calls directly
    on the LSM_OUT case... we're not out "squeaky clean" but still are out and
    have focussed attention on the capabilities code in a single location,
    which might also be useful, even in a non-LSM kernel.
    
    Not Sure I Clearly Stated That,
    But: how much OUT is contemplated?
    J. Melvin Jones
    
    > 
    > -chris
    > 
    
    
    |>------------------------------------------------------
    ||  J. MELVIN JONES            jmjonesat_private 
    |>------------------------------------------------------
    ||  Microcomputer Systems Consultant  
    ||  Software Developer
    ||  Web Site Design, Hosting, and Administration
    ||  Network and Systems Administration
    |>------------------------------------------------------
    ||  http://www.jmjones.com/
    |>------------------------------------------------------
    
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Oct 08 2001 - 11:55:37 PDT