On Fri, 17 Dec 2004 17:21:40 EST, "David A. Wheeler" said: > There's another alternative, too. Instead of making > the module itself vary its behavior, you could simply write > a small script that: > (1) checks for SELinux > (2) select the "right" digsig module, or pass a parameter, that > varies depending on (1). Hmm.. let me ponder that over the weekend. Biggest restriction there is that then my stuff would *have* to be built as a module and loaded later... > valid shortest-form UTF-8, etc. Another module (like openwall) > might forbid certain patterns suggesting bad tempfile use, > and so on. Yes, trying to do OpenWall-ish things on an SELinux box was my original goal.... > a whole new kernel. And I'd like to support a number of > these small specialized-function LSMs, so that different people > can create very narrow and specialized checks, and other > people can mix & match them. > Indeed, I suspect there would be many of these small LSM > modules that don't need to store any special state at all > on processes, etc. (like my filename checking example). A number of small things (openwall, realtime, and a few others) have surfaced that certainly look reasonable for stacking, and it *would* be nice if we could focus on "Do these things compose correctly?" rather than trying to figure out if we can get them loaded at all.. ;)
This archive was generated by hypermail 2.1.3 : Fri Dec 17 2004 - 14:51:19 PST