Re: [patch] CONFIG_SECURITY_NETWORK

From: Chris Wright (chrisat_private)
Date: Tue Jan 28 2003 - 12:56:34 PST

  • Next message: Crispin Cowan: "Re: c2 (or c2-like) auditing for Linux"

    [resend, typo in address]
    
    * Stephen D. Smalley (sdsat_private) wrote:
    > 
    > I've built and booted a SELinux kernel with and w/out
    > CONFIG_SECURITY_NETWORK, and it functioned as expected, i.e. only
    > differing in the absence of the socket and networking access controls
    > w/out the option.
    
    Sounds good.
    
    > > this isn't necessary.  "depends on SECURITY" is sufficient.
    > 
    > Ok, I was just following the same convention as the other entries in 
    > security/Kconfig.  Should we change them all?
    
    Sorry, I wasn't looking at the other entries.  I prefer simply "depends
    on SECURITY".  I don't see the need for the other entries using "!=n",
    so I'd say yes, change them all.
    
    > > this does embed some framework functionality in the dummy module.  any
    > > reason not to put it in the static inline in security.h before the call
    > > to the module?
    > 
    > security.h can't dereference pointers to struct sock and struct
    > open_request without including net/sock.h and net/tcp.h, but both of
    > those header files need to include security.h since they contain hook
    > calls.
    
    Whee, love cirucular dependencies ;-)
    
    > Also, notice that we don't truly need these initializations as part of
    > the base framework; they don't provide anything that can't be done in
    > the module.
    
    Yup, I definitely agree.  I was trying to reason out if there is any
    compelling reason to keep them (and then if it's best to put it in the
    dummy module).  I think we could probably either drop them or leave it
    as is (in your patch).
    
    > So, other than the security/Kconfig cleanup, any other changes that
    > need to be made prior to committing?  Also, I have an equivalent patch
    > for lsm-2.4; does it need to be posted for discussion or can it just be
    > committed at the same time?
    
    I think that's it.  2.4 sounds fine as well.
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 12:58:30 PST