Chris Wright wrote:
>The kernel will only call the primary module's callback functions (the
>module that uses register_security(). Later modules can register
>directly with the primary module to form a stack of modules using
>mod_reg_security(). The primary module is responsible for multiplexing
>the acces control decision and returning success or fail to the kernel.
>
The above design can be used in (at least) two ways:
1. Modules that *intend* to work with other modules can be loaded as
the primary module, and then refer access requests to secondary
modules as they see fit. So if the SELinux maintainers wanted
SELinux to work with the Capabilities module, they could add
registration and secondary module stuff to the SELinux module.
2. A generic multiplexer module can be built that attempts to
"fairly" consult all other loaded modules. This is the Stacker
module that David Wheeler was working on a while back. He got
little encouragement from the rest of us, so it wouldn't surprise
me if he went away to do something else.
IMHO Stacker is a good idea in the abstract, but I don't intend to use
it in our products. We're going with the first option.
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Chief Scientist, Immunix http://immunix.com
http://www.immunix.com/shop/
_______________________________________________
linux-security-module mailing list
linux-security-module@mail.wirex.com
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jun 13 2003 - 11:35:39 PDT