I'm having trouble keeping up with these last minute tweaks on the LSM hooks. Thus, I'm going to wait a little bit to let the hooks settle down before I update my "Stacker" module. If anyone wants to modify Stacker to try to keep up, that's great - let me know! - but otherwise I'll wait a little while to do the update. Early on, I was concerned that perhaps the LSM hooks wouldn't fully support a "Stacking" module (the hooks were there that INTENDED to support one, but that didn't mean they'd WORK). It looks like the LSM modules ARE sufficient to support stacking, since I have one such module, and that's good news. And now that I know how to do it without grabbing locks in most cases, I think it's actually quite practical (I haven't run any timing tests, but following a linked list is a fairly quick operation). PLEASE DO NOT remove the stacking hooks such as register_security(), because there _IS_ at least one GPL'ed module that uses it!! Also - if you're writing a security module, please remember stacking modules, and support stacking cleanly where that makes sense. If it makes sense, go ahead and call register_security(). BE SURE that your module is all set to go before calling register_security() (e.g., set "secondary=1" before calling it - I found a race in the OpenWall LSM module for exactly that reason, and it's a problem that's trivially avoided. When you're a secondary module, don't try to duplicate the functions of the capability module or dummy module - let the stacking module determine what other policies should be mixed in. --- David A. Wheeler _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 08:32:34 PDT