On Mon, 12 Nov 2001, Casey Schaufler wrote: > One more thing ... > > I wrote: > > > if (!(uid-checks-out-okay) && !capable(CAP_XYZ)) > > should be changed to: > > if (!capable(CAP_XYZ) && !(uid-checks-out-okay)) You're asking for a change to the base kernel logic, not just a change to LSM. And the base kernel seems to prefer only calling capable if the capability is truly needed, after a failure of the base DAC logic. > if C+R is going to be the Official way to use LSM. > Otherwise, the architecture is going to advocate > (require?) that code with potential side-effects > get executed in cases where it is at best unnecessary > and in some cases (side effects) may cause the system > to break. I'm not sure what you mean by "the official way to use LSM." I have simply argued that POSIX ACLs can be implemented via the current LSM without needing authoritative hooks, so your earlier example of POSIX ACLs isn't motivating for authoritative hooks. That isn't to say that there aren't motivating examples for authoritative hooks, just that POSIX ACLs isn't one of them. Are there specific example of the side effects that you mention? As I said above, the ordering of the DAC logic and the capable call is part of the base kernel, so I don't see what your point is here. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 11:27:30 PST