On Tue, 8 Oct 2002, Chris Wright wrote: > I don't see a nice way to collapse this w/out basically DAC out...any > ideas? I don't think we want to collapse any capable() calls that are embedded in compound logic with uid or mode checking logic. In this case, capable() is serving a permissive purpose, and that isn't consistent with the restrictive LSM hook. I would only advocate collapsing capable() with the LSM hook when: a) the capable() call stands alone as an authoritative or restrictive check on the operation (i.e. no uid/mode logic intertwined with it), b) the capable() call is already immediately next to the LSM hook or can be trivially relocated without any side effects (this is often not the case, as the LSM hook cannot be invoked until the kernel object has been looked up, whereas the capable() check is only based on the current task). -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Oct 08 2002 - 05:22:44 PDT