On Donnerstag 24 Februar 2005 01:55, Kurt Garloff wrote: > On Mon, Feb 21, 2005 at 11:19:16AM +0100, Amon Ott wrote: > > Without rechecking the current state: At least the last time I > > checked, the hardwired kernel capabilities were explicitely disabled > > when LSM got switched on. You had to use the capabilities LSM module > > instead, which was not able to stack. It always had to be the last in > > the chain, thus effectively sealing against any other LSM module to > > be loaded later. > > My patches posted Feb 13 fix this. > > If you apply them (and I hope Linus will), capabilities is default > and you can replace that by loading an LSM. You can stack capability > on top of the primary LSM again, if the latter supports this. Well, not quite, although it is an improvement. As long as the capabilities module does not support stacking, anybody needing capabilities and e.g. on-access scanning with Dazuko will have to unload this module, load another module, and reload it. This creates a nasty race condition. BTW, what happens if capabilities have been compiled static, not as a module? AFAIK, not all LSM modules provide correct stacking. At least all modules in the main line kernel should really support the official way. But this is just a few cents from someone not using LSM... Amon. -- http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
This archive was generated by hypermail 2.1.3 : Thu Feb 24 2005 - 00:47:19 PST