* Valdis.Kletnieksat_private (Valdis.Kletnieksat_private) wrote: > On Fri, 19 Jul 2002 13:57:22 EDT, David Wheeler <dwheelerat_private> said: > > Chris rightly stated that someone should create a > > "stacking" module. So, I've started to do just that. > > I'll post my first draft soon. David, thanks. Look forward to seeing the draft. > Now, I understand how (at least conceptually) you could stack modules that > are addressing different areas - for instance, a module for *just* the > network hooks and a module for resource limits could co-exist easily > enough. > > But how do you intend to handle composition of functions if they're in the > *same* area? I thought for a moment that a rule like "a module can't grab > a hook that's already in use by a previously stacked module", but that's > a non-starter (for instance, if the first module only cares about open() > and the second wants open() and mmap(), you're stuck). I think this was > the issue that made any sort of generalized stacking impractical? A multiplexor will have the complete LSM interface for each registered module. It is possible to call each registered module on each operation. The fact that some modules care about different parts of the interface isn't inherently an issue. The difficult parts are the blobs and chosing a policy to compose a result. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 14:09:39 PDT