Russell Coker wrote: >Your message was not entirely clear to me, but I get the impression that it >means just providing all relevant information to the security module (SE >Linux in this case) and letting it decide what to do next. But how does that >really differ from what we have now? > I'm not sure, but that's because I don't entirely understand Christoph's objection. I inferred from Christoph's comment that Stephen's patch required all modules to implement some data structure listing all sysctl variables. If that is the case, then Christoph has a point, and this design might need some refinement. On the other hand, if the hook just presents a list of sysctl parameters to the module and ask the module if it cares, then it essentially is my suggested solution: * modules that don't care about sysctl can just ignore it and say "ok" to everything * modules that just want to be blunt can block sysctl for every process that isn't, e.g. root * modules that want to be fine-grained about it can implement their own data structures to track who can do what Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet"
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 05:32:37 PST