Hey! Wait! Stacker uses module_delete! Don't remove that hook!

From: David Wheeler (dwheelerat_private)
Date: Thu Oct 03 2002 - 12:06:44 PDT

  • Next message: David Wheeler: "Any experience with LSM + UML?"

    Hey! Wait! Stacker uses module_delete!
    Please don't remove that hook!
    If you look at the code for the Stacker LSM
    you'll find code for stacker_module_delete.
    In the default case, this code prevents users from
    removing modules that are stacked UNLESS they have been
    deactivated first. For speed, Stacker by default DOES NOT
    lock individual access requests.  Thus, if it simply allowed stacked
    modules to be removed, removing those modules would
    essentially guarantee a kernel panic.
    You can't "just wait" either, because
    without locks the kernel doesn't know how long to wait.
    Instead, it imposes an additional step before modules can be removed.
    Stacker is a GPL'ed LSM module, and has been
    released to the public for some time.
    Sorry I haven't spoken up before, I've been off doing other things.
    By the way, does the elimination of module_* mean that
    LSM is unable to implement the BSD jail() function
    (where some root users can't do certain functions)?
    I think it does.  I don't know if anyone thinks that's a problem.
    --- David A. Wheeler
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 12:14:57 PDT