> > The main question is do we declare cap_effective to belong solely to > capability.c, or do we want capability.c to trust previous LSM's > computations of those values? So, even with the current case, if we > insmod, rmmod, then re-insmod capability, do we want to revoke all > previous cap_* computations? Many times of rmmod and re-insmod a security module is an extreme case. In practice, it maybe never happen. For safty, we may need re-compute anytime. > It seems reasonable for it "belong" to capability.c (and I've heard of > noone else wanting to use it). I just don't think we've explicitly > declared this to be the case. Privilege control is very important to system security. Although they are simple, Capability or dummy.c can controll some critical accesses that cannot be controlled by other security policy (MLS/BLP, ACL, and CW etc.). For example, sethostname must be regard as a privilege operation, but in BLP or ACL, nothing can be done for it. We may have a better way of fix this bug quickly. :) Thanks LiangBin ISCAS
This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 09:10:47 PST