Re: [RFC] LSM changes for 2.5.38

From: Christoph Hellwig (hchat_private)
Date: Fri Sep 27 2002 - 11:59:19 PDT

  • Next message: Stephen Smalley: "Re: [RFC] LSM changes for 2.5.38"

    On Fri, Sep 27, 2002 at 02:54:25PM -0400, Valdis.Kletnieksat_private wrote:
    > By the same token, at that point you can download the kernel source and
    > build it without LSM.  What I showed was a way to bypass the iptables
    > rules set up *WITHOUT REPLACING A MODULE* (which might be detected by
    > tripwire, or totally refused because the LSM rejects any writes in /lib/modules).
    
    insmod doesn't require modules to be in /lib/modules.  Anyway I could even change
    the device name _after_ it was loaded.  this is linux and not BSD..
    
    Given that we really want to fine-grained control who's netdevice can get what
    names we'd` better place a hook in dev_alloc_name.
    
    And that's my whole point: LSM adds random hooks all over the place without
    even thinking what they intend to protect.
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 12:00:34 PDT