On Fri, Sep 27, 2002 at 05:48:49PM +0100, Christoph Hellwig wrote: > > capable is needed to be checked, as we are not modifying the existing > > permission logic. > > I odn't think it makes sense to have two security checks that both > end up in the LSM code after each other.. For cases like the module_* hooks, and the other examples you pointed out, I agree. For other cases, capable() is just not fine grained enough to actually know what is going on (like CAP_SYS_ADMIN). In those cases you need an extra hook to determine where in the kernel you are. thanks, greg k-h _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 09:58:41 PDT