Re: [RFC][PATCH] Add LSM sysctl hook to 2.5.59

From: Crispin Cowan (crispinat_private)
Date: Mon Jan 20 2003 - 05:30:37 PST

  • Next message: Chris Wright: "Re: How does a lsm security module open a config file?"

    Russell Coker wrote:
    
    >Your message was not entirely clear to me, but I get the impression that it 
    >means just providing all relevant information to the security module (SE 
    >Linux in this case) and letting it decide what to do next.  But how does that 
    >really differ from what we have now?
    >
    I'm not sure, but that's because I don't entirely understand Christoph's 
    objection. I inferred from Christoph's comment that Stephen's patch 
    required all modules to implement some data structure listing all sysctl 
    variables. If that is the case, then Christoph has a point, and this 
    design might need some refinement.
    
    On the other hand, if the hook just presents a list of sysctl parameters 
    to the module and ask the module if it cares, then it essentially is my 
    suggested solution:
    
        * modules that don't care about sysctl can just ignore it and say
          "ok" to everything
        * modules that just want to be blunt can block sysctl for every
          process that isn't, e.g.  root
        * modules that want to be fine-grained about it can implement their
          own data structures to track who can do what
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    			    Just say ".Nyet"
    
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 05:32:37 PST