Re: [PATCH][RFC] Remove kmod_set_label hook

From: Russell Coker (russellat_private)
Date: Wed Mar 26 2003 - 15:00:05 PST

  • Next message: Chris Wright: "Re: [PATCH][RFC] Remove kmod_set_label hook"

    On Wed, 26 Mar 2003 18:56, Stephen D. Smalley wrote:
    > > I obviously need more caffeine.. I was pretty sure stuff running out
    > > of keventd was in the kernel context, and as a result was essentially
    > > trusted code.  How would this work?
    > Different jobs run from the keventd work queue (and different kernel
    > threads using reparent_to_init) are likely to require different
    > permissions, and it would be preferable to maintain them in separate
    > security "domains" rather than lumping them all into one all powerful
    > domain for least privilege purposes.  Even "trusted" code should be
    Even just having them in the kernel context would be an improvement over the 
    current situation.
    We have just had to change polity to allow the init program greater access 
    than it would otherwise require because a kernel thread needed more access, 
    which is not desirable.
    --   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed Mar 26 2003 - 15:01:27 PST