* Greg KH (gregat_private) wrote: > On Mon, Sep 30, 2002 at 12:52:07AM -0700, Chris Wright wrote: > > * Stephen Smalley (sdsat_private) wrote: > > > > > > All of the hooks in the 2.5.38-lsm-ipc.patch are used by SELinux. Of the > > > hooks in the 2.5.38-lsm-misc.patch, the following hooks appear to be > > > unused by the existing security modules: > > > sethostname > > > setdomainname > > > reboot > > > ioperm > > > iopl > > > module_* > > > > All of the above hooks are used by SubDomain. > > Is subdomain going to be released under the GPL anytime soon? I hope so, yes. > And is there any reason you can't use the capabilities check for these > hooks, like SELinux does? From what I remember, SubDomain didn't check > these hooks in the past with any finer-grained access rights from what > capabilities would give you, or am I forgetting things? This is certainly true for reboot, and nearly true for module_*. However, set*name is simply using CAP_SYS_ADMIN...I think the change should go the other way. For example, it's simple to do: cap_sethostname(...) { return cap_capable(current, CAP_SYS_ADMIN); } thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 11:36:27 PDT