Re: [PATCH] accessfs v0.6 ported to 2.5.35-lsm1 - 1/2

From: James Morris (jmorrisat_private)
Date: Wed Oct 02 2002 - 04:40:41 PDT

  • Next message: James Morris: "Re: [RFC] No more module_* hooks"

    On Tue, 1 Oct 2002, Olaf Dietsche wrote:
    
    > Well, we'll never know until we try :-). Besides that, sys_bind() and
    > inet_bind() are on an entirely different level.
    
    Sorry, but I'm not in favour of this hook.
    
    Firstly, as far as I can tell, what you're trying to do in accessfs is
    provide fine grained control over access to ports with otherwise normal
    Unix user/group/other file permissions, and the purpose of the hook is to
    determine the range of ports which are protected by this scheme. This is
    unnecessarily overloading the existing kernel logic relating to reserved
    ports as part of a quite different access control model.
    
    Secondly, what accessfs (and this hook) is trying to do is essentially
    authoritative+permissive, a model not explicitly supported by LSM at this
    point.
    
    Please don't get me wrong: I think the general idea of accessfs is pretty
    cool, but it seems to be out of scope for LSM as a restrictive framework.
    
    
    - James
    -- 
    James Morris
    <jmorrisat_private>
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 04:42:53 PDT