Re: [RFC] No more module_* hooks

• Previous message: Chris Wright: "Re: Early initialization of security modules"
• In reply to: Chris Wright: "Re: [RFC] No more module_* hooks"
• Next in thread: Crispin Cowan: "Re: [RFC] No more module_* hooks"
• Next in thread: James Morris: "Re: [RFC] No more module_* hooks"
• Reply: Crispin Cowan: "Re: [RFC] No more module_* hooks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Sep 30, 2002 at 11:27:51AM -0700, Chris Wright wrote:
> * Greg KH (gregat_private) wrote:
> > 
> > Is subdomain going to be released under the GPL anytime soon?
> 
> I hope so, yes.

Ah, is that yes to both parts of that question?  :)

> > And is there any reason you can't use the capabilities check for these
> > hooks, like SELinux does?  From what I remember, SubDomain didn't check
> > these hooks in the past with any finer-grained access rights from what
> > capabilities would give you, or am I forgetting things?
> 
> This is certainly true for reboot, and nearly true for module_*.  However,
> set*name is simply using CAP_SYS_ADMIN...I think the change should go
> the other way.  For example, it's simple to do:
> 
> cap_sethostname(...) { return cap_capable(current, CAP_SYS_ADMIN); }

That's reasonable.

thanks,

greg k-h
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Greg KH: "Re: [RFC] No more module_* hooks"
• Previous message: Chris Wright: "Re: Early initialization of security modules"
• In reply to: Chris Wright: "Re: [RFC] No more module_* hooks"
• Next in thread: Crispin Cowan: "Re: [RFC] No more module_* hooks"
• Next in thread: James Morris: "Re: [RFC] No more module_* hooks"
• Reply: Crispin Cowan: "Re: [RFC] No more module_* hooks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 15:33:31 PDT