Re: Clarifications of LSM API

From: Valdis.Kletnieks@private
Date: Fri Jul 02 2004 - 13:25:41 PDT

  • Next message: Serge E. Hallyn: "Re: Clarifications of LSM API"

    On Fri, 02 Jul 2004 07:01:11 PDT, Crispin Cowan said:
    
    >     * All the instances of multiple module composition that I do know of
    >       amount to one MAC system and one or more pathology blockers like
    >       TPE or OWLSM, plus the special case of POSIX Capabilities.
    
    I think that's correct - I haven't seen a sane proposal for more than
    one MAC, the POSIX Capabilities is needed for backward combatability,
    and then people want one ore more pathology blockers in between.
    
    > Anyone have a counter-example where they actually want to compose two 
    > blob-using modules?
    
    I think Serge's Dirjail stuff is in an odd position - it's basically a
    pathology blocker, but needs to be able to save some state between calls
    (basically, it needs the ability to tag something at one point in time, and
    then be able to examine the tag at some later LSM hook invocation).
    
    ISTR something about OWLSM also having a stacker issue if CONFIG_OWLSM_FD
    was defined - was that a blob-sharing thing, or something else?
    
    
    



    This archive was generated by hypermail 2b30 : Fri Jul 02 2004 - 13:26:23 PDT