"Stacker" - I'll wait until the hooks settle.

From: David Wheeler (dwheelerat_private)
Date: Tue Oct 15 2002 - 08:24:34 PDT

  • Next message: David S. Miller: "Re: [PATCH] LSM networking: skb hooks for 2.5.42 (2/7)"

    I'm having trouble keeping up with these last minute tweaks on the
    LSM hooks.  Thus, I'm going to wait a little bit to let the hooks
    settle down before I update my "Stacker" module.  If anyone wants to
    modify Stacker to try to keep up, that's great - let me know! -
    but otherwise I'll wait a little while to do the update.
    
    Early on, I was concerned that perhaps the LSM hooks wouldn't fully
    support a "Stacking" module (the hooks were there that INTENDED to
    support one, but that didn't mean they'd WORK).
    It looks like the LSM modules ARE sufficient to support stacking,
    since I have one such module, and that's good news.  And now that
    I know how to do it without grabbing locks in most cases, I think
    it's actually quite practical (I haven't run any timing tests, but
    following a linked list is a fairly quick operation).
    
    PLEASE DO NOT remove the stacking hooks such as
    register_security(), because there _IS_ at least one GPL'ed
    module that uses it!!
    
    Also - if you're writing a security module, please remember stacking
    modules, and support stacking cleanly where that makes sense.
    If it makes sense, go ahead and call register_security().
    BE SURE that your module is all set to go before calling
    register_security() (e.g., set "secondary=1" before calling it -
    I found a race in the OpenWall LSM module for exactly that reason,
    and it's a problem that's trivially avoided.
    When you're a secondary module, don't try to duplicate the
    functions of the capability module or dummy module - let the
    stacking module determine what other policies should be mixed in.
    
    
    --- David A. Wheeler
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 08:32:34 PDT