On Mon, Feb 23, 2004 at 02:53:57PM -0800, Chris Wright wrote: > * Chandra Seetharaman (sekharan@private) wrote: > > Hello, > > > > In the list of security hooks, for setuid()(and family), I see two hooks - > > task_setuid() and task_post_setuid(), one for checking the permissions and > > the second for setting the capabilities. But, for setgid(), I see only > > task_setgid(), no task_post_setgid(). > > > > To my understanding, the rationale for providing task_post_setuid() holds > > good for providing task_post_setgid(). What is the rationale for not having > > the post hook for setgid() ? > > This is a result of converting the existing logic for preserving/dropping > capabilities across setuid type calls. The logic did not include any > special casing for setgid calls. So, this is straight port of the > pre-LSM code. Do you have a specific use of a post_setgid hook? Hi Chris, Thanks for your reply... you might remember me from a previous discussion we had in the context of CKRM(ckrm.sf.net). For our classification engine we need to have callbacks from various kernel points. I am looking at the possiblity of using LSM for that purpose(instead of adding our own callbacks). post_setgid is one of the places where LSM doesn't have hooks for, that is why I am interested in post_setgid. Apart from that, from a semantic point of view also it will be clean to have a post_setgid(analogous to post_setuid). Thanks, chandra > thanks, > -chris > -- > Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net -- ---------------------------------------------------------------------- Chandra Seetharaman | Be careful what you choose.... - sekharan@private | .......you may get it. ----------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Feb 23 2004 - 15:22:22 PST