Re: [RFC][PATCH] Add LSM sysctl hook to 2.5.59

From: Crispin Cowan (crispinat_private)
Date: Mon Jan 20 2003 - 05:30:37 PST

  • Next message: Chris Wright: "Re: How does a lsm security module open a config file?"

    Russell Coker wrote:
    >Your message was not entirely clear to me, but I get the impression that it 
    >means just providing all relevant information to the security module (SE 
    >Linux in this case) and letting it decide what to do next.  But how does that 
    >really differ from what we have now?
    I'm not sure, but that's because I don't entirely understand Christoph's 
    objection. I inferred from Christoph's comment that Stephen's patch 
    required all modules to implement some data structure listing all sysctl 
    variables. If that is the case, then Christoph has a point, and this 
    design might need some refinement.
    On the other hand, if the hook just presents a list of sysctl parameters 
    to the module and ask the module if it cares, then it essentially is my 
    suggested solution:
        * modules that don't care about sysctl can just ignore it and say
          "ok" to everything
        * modules that just want to be blunt can block sysctl for every
          process that isn't, e.g.  root
        * modules that want to be fine-grained about it can implement their
          own data structures to track who can do what
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX            
    Security Hardened Linux Distribution:
    Available for purchase:
    			    Just say ".Nyet"

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private

    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 05:32:37 PST