Re: Clarifications of LSM API

From: Crispin Cowan (crispin@private)
Date: Wed Jun 30 2004 - 08:24:22 PDT

Next message: Greg KH: "Re: Clarifications of LSM API"

Previous message: Tomas Olsson: "Re: Clarifications of LSM API"
In reply to: James Morris: "Re: Clarifications of LSM API"
Next in thread: Greg KH: "Re: Clarifications of LSM API"
Next in thread: Serge E. Hallyn: "Re: Clarifications of LSM API"
Reply: Greg KH: "Re: Clarifications of LSM API"
Reply: Tomas Olsson: "Re: Clarifications of LSM API"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James Morris wrote:

>The optimization for a single LSM is good, but won't the common case be
>two LSMs (e.g. capabilities + something else) ?
>
Maybe. For us, we found it easier to incorporate the Capabilities 
functionality into our own SubDomain module than to try to stack the 
two. YMMV.

OTOH, I can see strong cases for stacking multiple modules in the field, 
e.g. one container module (choose one of Subdomain, SELinux, LIDS, Jail, 
DTE, etc.) and a list lof several point solutions such as OWLSM 
(implements Openwall's hard/soft link protections), TPE (Trusted Path), 
etc. Stacking in this case may be feasible if it is the case that all 
the "point solution" modules do not use security blobs.

Crispin

-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com

Next message: Greg KH: "Re: Clarifications of LSM API"
Previous message: Tomas Olsson: "Re: Clarifications of LSM API"
In reply to: James Morris: "Re: Clarifications of LSM API"
Next in thread: Greg KH: "Re: Clarifications of LSM API"
Next in thread: Serge E. Hallyn: "Re: Clarifications of LSM API"
Reply: Greg KH: "Re: Clarifications of LSM API"
Reply: Tomas Olsson: "Re: Clarifications of LSM API"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 30 2004 - 08:24:43 PDT