Re: [PATCH] accessfs v0.6 ported to 2.5.35-lsm1 - 1/2

From: Olaf Dietsche (olaf.dietsche--list.linux-kernel-accessfsat_private)
Date: Thu Oct 03 2002 - 05:01:11 PDT

  • Next message: David Wheeler: "Hey! Wait! Stacker uses module_delete! Don't remove that hook!"

    James Morris <jmorrisat_private> writes:
    
    > On Tue, 1 Oct 2002, Olaf Dietsche wrote:
    >
    >> Well, we'll never know until we try :-). Besides that, sys_bind() and
    >> inet_bind() are on an entirely different level.
    >
    > Sorry, but I'm not in favour of this hook.
    >
    > Firstly, as far as I can tell, what you're trying to do in accessfs is
    > provide fine grained control over access to ports with otherwise normal
    > Unix user/group/other file permissions, and the purpose of the hook is to
    > determine the range of ports which are protected by this scheme. This is
    > unnecessarily overloading the existing kernel logic relating to reserved
    > ports as part of a quite different access control model.
    >
    > Secondly, what accessfs (and this hook) is trying to do is essentially
    > authoritative+permissive, a model not explicitly supported by LSM at this
    > point.
    
    Well, I must admit, I didn't bother about design philosophies. I just
    thought it would be foolish to not use this existing framework and
    reinvent the wheel on my own.
    
    What I do care about, however, is the goal of having a more secure
    system than before and I thought that's what LSM is all about.
    Seems like I have to invent my own make of security_ops.
    
    Anyway, thanks for listening to my weird ideas. ;-)
    
    > Please don't get me wrong: I think the general idea of accessfs is pretty
    > cool, but it seems to be out of scope for LSM as a restrictive framework.
    
    I'm glad you like it nonetheless.
    
    Regards, Olaf.
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 05:03:15 PDT