On Mon, 22 Jul 2002, Stephen Smalley wrote: > > On Fri, 19 Jul 2002, Robb Romans wrote: > > > Here is a patch for adding a hook to control setting the system time in > > kernel/time.c. We need this hook for our implementation of *BSD Secure > > Levels as an LSM. > > > > You may note that sys_stime is not covered by this hook. There are a > > couple of ways we are exploring to address this. > > > > Many thanks to Chris Wright and Seth Arnold for the help and patience. > > Such a hook was previously considered, but was not adopted since the > CAP_SYS_TIME capability seemed sufficient to control these operations. > Can you clarify why you need a finer-grained hook? The CAP_SYS_TIME capability denies any change to system time. We need to be able to prevent decrementing the system time, but allow increment. This follows the *BSD implementation of secure levels. See: http://www.openbsd.org/cgi-bin/man.cgi?query=securelevel&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html for a description of what we are aiming for. Regards, Robb -- Robb Romans (512) 838-0419 Linux Commando T/L 678-0419 IBM Linux Technology Center KD5SQF Ask me about the W5IBM Amateur Radio Club _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 08:27:55 PDT