Hello, On 5/5/05, Chris Wright <chrisw@private> wrote: > * Davi Arnaut (davi.arnaut@private) wrote: > > [PATCH] LSM: Add user_struct (alloc/free) hooks > > > > Allow a more fine-grained (and less complex strategy) for security > > modules (models) based upon user tracking. A move toward > > "a full-fledged user tracking system".. > > This needs a better explanation. How do you expect to populate/use > these new blobs? With the traditional user_struct we cannot implement a _simple_ and reliable URT (User Resource Tracking) system or provide a role basead grouping within the kernel (through modules). This patch gives us the base for a system wide tracking of users instead of a process-based limit, which enables us to audit and enforce global per-user system policies. For exemple, this patch allows me to implement, with the current set of hooks, a global per-user task|inode|socket|shm|sem limit and track abuse of those resources. This is a great feature which can help sysadmins to distribute resources along a group of users, especially true for servers full of resource hungry users. > What do you do on switch_uid to update state? Nothing, switch_uid only happens on reparent_to_init and set(re)uid and there are hooks for those, should we care ? > You don't need to add NULL ops to the selinux_ops, registration will > handle that fine. Placed on the terms of "hey, fill me in". > Can you please send this patch to the LSM list > (linux-security-module@private) and Cc: me to get a better discussion > going? Done. Please CC me in on any reply, Davi Arnaut > > thanks, > -chris > -- > Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net > Signed-of-by: Davi Arnaut <davi.arnaut@private>
This archive was generated by hypermail 2.1.3 : Thu May 05 2005 - 15:37:41 PDT