Re: LSM stacker update

From: Stephen Smalley (sds@private)
Date: Tue Feb 01 2005 - 05:48:37 PST


On Tue, 2005-02-01 at 08:30, Crispin Cowan wrote:
> Serge E. Hallyn wrote:
> 
> >I hadn't considered that.  It does seem to then enforce that any
> >security module keeping state on kernel objects must be compiled in
> >so as to catch them when they are created.  But that may not be a
> >bad thing, and it would be nice to be able to drop the rwlock.
> >  
> >
> Forcing a stackable module to be compiled in would seem to be a fatal 
> flaw. The whole point of stacking is to be able to compose things that 
> your upstream provider did not think of.

I'm not sure that it would truly require making the module builtin, just
inserting any loadable module early during system initialization before
other processes are running.  But that is good practice anyway.

-- 
Stephen Smalley <sds@private>
National Security Agency



This archive was generated by hypermail 2.1.3 : Tue Feb 01 2005 - 05:55:37 PST