Re: [PATCH 5/5] Remove unnecesary capability hooks in rootplug.

From: Chris Wright (chrisw@private)
Date: Thu Aug 25 2005 - 14:13:50 PDT


* Chris Wright (chrisw@private) wrote:
> * Stephen Smalley (sds@private) wrote:
> > e.g. if secondary_ops->capable is null, the SELinux tests aren't going
> > to show that, because they will still see that the SELinux permission
> > checks are working correctly.  They only test failure/success for the
> > SELinux permission checks, not for the capability checks, so if you
> > unhook capabilities, they won't notice.
> 
> Yes, I see.  I thought the tests you were referring to were 
> "if (secondary_ops->capable)" not LTP tests.  Capability is still a
> module that can be loaded (or built-in).  So the only issue is it's
> security_ops is now NULL where it was a trivial return 0 function.
> Aside from the oversight Serge fixed, I don't think there's any issue.

Bah, of course, that's inaccurate because you unconditionally set the
secondary to the default.  So, indeed, the default case (nothing actively
loaded as secondary) will get secondary_ops filled with NULL only.
Seems simplest to just fill the default with cap calls where applicable,
but I had hoped to eliminate that.
Thoughts?

thanks,
-chris



This archive was generated by hypermail 2.1.3 : Thu Aug 25 2005 - 14:14:19 PDT