Re: Latest release of stacker

From: Stephen Smalley (sds@private)
Date: Tue Feb 22 2005 - 07:18:06 PST


On Mon, 2005-02-21 at 12:48 -0600, Serge Hallyn wrote:
> www.sf.net/projects/lsm-stacker has a new update of the stacker
> patches.

Hmmm...selinux-stack.patch and stacker_rcu_test.txt is showing up empty
when I download it; possibly just not propagated to all mirrors yet.  It
would be easier if there was a single tarball with all of the files in
each release.

> 	2. lsm-chain.patch: removed rwlock from security_set_value,
> 	security_get_value, and security_del_value operations.  It is
> 	expected that security_del_value is only called from the
> 	security_free_* operation (ie security_free_inode), and that
> 	security_set_value only be called from security_alloc_*.
> 	A new, spinlock-protected function, security_add_value, can
> 	be used to add a security value at a later time.  Look at
> 	the digsig.c.patch for sample usage.

I'm not sure I understand why it would be safe to use this new function
without also taking the same spinlock for calls to the other functions.
In which case you might as well defer all locking to the caller (i.e.
the security module), and let the caller lock and unlock around the
calls to security_set_value() rather than introducing a separate
function.

> 	7. selinux-stack.patch: Main difference is that when selinux
> 	is compiled in, the stackable capabilities module (cap_stack.ko)
> 	is now required.

And stacker too?

-- 
Stephen Smalley <sds@private>
National Security Agency



This archive was generated by hypermail 2.1.3 : Tue Feb 22 2005 - 07:31:56 PST