Re: [PATCH] no longer export capability_ops and nproc_ops

From: Chris Wright (chrisat_private)
Date: Wed Nov 07 2001 - 16:26:45 PST

  • Next message: jmjonesat_private: "Re: [PATCH] no longer export capability_ops and nproc_ops"

    * jmjonesat_private (jmjonesat_private) wrote:
    > Does getting rid of it advantage LSM, or just disadvantage other
    > solutions?
    i have no idea what you mean.  this is all about LSM, and LSM only.
    this has nothing to do with anything else.  please, look at the patch,
    it speaks for itself.
    > Did LSM export this symbol FIRST, and does the kernel code NOT export it
    > in release 2.4.14 without LSM?
    this symbol does not exist in 2.4.14.  this is all about LSM and LSM
    only.  please look at the patch, it speaks for itself.
    > IFF (if and only if) LSM is accepted, there is substantial, definitive
    > risk related to exporting these symbols.  Otherwise, there may be some
    > value to this export.
    there is definitive and substantial risk.  namely, one could overwrite
    the entire capabilities operations structure (simply) from within the
    kernel.  so what?  once you've loaded a malicious module into the
    kernel, game it isn't much of an argument.  (and of course, we
    export the security_ops pointer as well, and yes, i'd like to remove
    that as well, but currently the dte project and the lsm_ip_glue rely on
    it being exported, so i'll wait).
    jmjones, please understand the patch before making allegations that this
    is political, or favoring LSM vs. 'other solutions'.
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed Nov 07 2001 - 16:33:42 PST