Re: [RFC] [PATCH] Stacking through chaining (v3)

From: Serge Hallyn (serue@private)
Date: Fri Dec 03 2004 - 06:40:03 PST

On Tue, 2004-11-30 at 14:38 -0800, Crispin Cowan wrote:

>     * keep the stacking mechanism as simple as possible, aiming at the
>       "allow if all modules allow" composition policy and not much else
>     * if there is a conflict between Capable and stacker, choose Capable


What exactly do you mean in this case by "Capable"?  Capable is also
defined by LSMs, so do you mean commoncap:capable?

I saw the useful possibilities a little different from the way the
discussion has been heading:

  1. We live with the fact that everything is restrictive.  If one
module says "no" to a capable call, then presumably it means it.  If it
doesn't care one way or another, it can say "yes" and let another
module, which does care, say no.  This is the current approach.

  2. We say that capable() can return <0 for "deny", 0 for "allow if
noone else denies" and >1 for "I'd really like this to be allowed".
security/security.c:capable() can convert >1 return values to 0 in case
stacker isn't running.

So it sounds like some people might like for us to consider (2)?  Or is
what is actually being discussed in this thread something different?

Serge Hallyn
Security Software Engineer, IBM Linux Technology Center

This archive was generated by hypermail 2.1.3 : Fri Dec 03 2004 - 05:27:56 PST