Re: [patch] CONFIG_SECURITY_NETWORK

• Previous message: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"
• In reply to: Stephen D. Smalley: "Re: [patch] CONFIG_SECURITY_NETWORK"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[resend, typo in address]

* Stephen D. Smalley (sdsat_private) wrote:
> 
> I've built and booted a SELinux kernel with and w/out
> CONFIG_SECURITY_NETWORK, and it functioned as expected, i.e. only
> differing in the absence of the socket and networking access controls
> w/out the option.

Sounds good.

> > this isn't necessary.  "depends on SECURITY" is sufficient.
> 
> Ok, I was just following the same convention as the other entries in 
> security/Kconfig.  Should we change them all?

Sorry, I wasn't looking at the other entries.  I prefer simply "depends
on SECURITY".  I don't see the need for the other entries using "!=n",
so I'd say yes, change them all.

> > this does embed some framework functionality in the dummy module.  any
> > reason not to put it in the static inline in security.h before the call
> > to the module?
> 
> security.h can't dereference pointers to struct sock and struct
> open_request without including net/sock.h and net/tcp.h, but both of
> those header files need to include security.h since they contain hook
> calls.

Whee, love cirucular dependencies ;-)

> Also, notice that we don't truly need these initializations as part of
> the base framework; they don't provide anything that can't be done in
> the module.

Yup, I definitely agree.  I was trying to reason out if there is any
compelling reason to keep them (and then if it's best to put it in the
dummy module).  I think we could probably either drop them or leave it
as is (in your patch).

> So, other than the security/Kconfig cleanup, any other changes that
> need to be made prior to committing?  Also, I have an equivalent patch
> for lsm-2.4; does it need to be posted for discussion or can it just be
> committed at the same time?

I think that's it.  2.4 sounds fine as well.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: c2 (or c2-like) auditing for Linux"
• Previous message: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"
• In reply to: Stephen D. Smalley: "Re: [patch] CONFIG_SECURITY_NETWORK"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 12:58:30 PST