On Tue, 2004-11-30 at 14:38 -0800, Crispin Cowan wrote: > * keep the stacking mechanism as simple as possible, aiming at the > "allow if all modules allow" composition policy and not much else > * if there is a conflict between Capable and stacker, choose Capable Hi, What exactly do you mean in this case by "Capable"? Capable is also defined by LSMs, so do you mean commoncap:capable? I saw the useful possibilities a little different from the way the discussion has been heading: 1. We live with the fact that everything is restrictive. If one module says "no" to a capable call, then presumably it means it. If it doesn't care one way or another, it can say "yes" and let another module, which does care, say no. This is the current approach. 2. We say that capable() can return <0 for "deny", 0 for "allow if noone else denies" and >1 for "I'd really like this to be allowed". security/security.c:capable() can convert >1 return values to 0 in case stacker isn't running. So it sounds like some people might like for us to consider (2)? Or is what is actually being discussed in this thread something different? -serge -- ======================================================= Serge Hallyn Security Software Engineer, IBM Linux Technology Center serue@private
This archive was generated by hypermail 2.1.3 : Fri Dec 03 2004 - 05:27:56 PST