* Stephen Smalley (sdsat_private) wrote: > > On Tue, 16 Jul 2002, Stephen Smalley wrote: > > > The dummy > > module should mostly function as expected for traditional superuser logic, > > but will run into a denial on netlink messages due to the lack of the > > netlink changes in this patch. > > Sorry, this statement isn't correct. As it currently stands, the dummy > security module never touches or uses the task cap_* fields, so these > fields retain the initial values inherited from the parent task, going all > the way back to the init task. Hence, any direct capability checks > against the task cap_* fields by the base kernel (as opposed to calls to > capable() or security_ops->capable()) will always succeed when the dummy > module is in use. In the full LSM patch, we replace all such direct > capability checks with hook calls so that the dummy module can perform a > traditional superuser test. However, the base LSM patch that I posted > does not include all of those changes, particularly the netlink changes > and the OOM killer changes. We could add those changes to this base patch > for completeness if desired, but they are located in the mm code and the > netlink code, so it may be preferable to keep them separate. I think we should probably keep them separate. -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 09:24:49 PDT