Re: PROBLEM: A Capability LSM Module serious bug

From: liangbin01@private
Date: Mon Dec 08 2003 - 09:03:01 PST

  • Next message: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"

    > The main question is do we declare cap_effective to belong solely to
    > capability.c, or do we want capability.c to trust previous LSM's
    > computations of those values?  So, even with the current case, if we
    > insmod, rmmod, then re-insmod capability, do we want to revoke all
    > previous cap_* computations?
    Many times of rmmod and re-insmod a security module is an extreme case. In 
    practice, it maybe never happen. For safty, we may need re-compute anytime. 
    > It seems reasonable for it "belong" to capability.c (and I've heard of
    > noone else wanting to use it).  I just don't think we've explicitly
    > declared this to be the case.
    Privilege control is very important to system security. Although they are 
    simple, Capability or dummy.c can controll some critical accesses that 
    cannot be controlled by other security policy (MLS/BLP, ACL, and CW etc.). 
    For example, sethostname must be regard as a privilege operation, but in BLP 
    or ACL, nothing can be done for it. 
    We may have a better way of fix this bug quickly. :) 

    This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 09:10:47 PST