On Thu, 2005-08-25 at 15:17 -0700, Chris Wright wrote: > These are no-ops in dummy or capabilities, but don't represent the rest > of the hooks, or the rest in a single object area (i.e. task or inode). > Looks like (from discussion in early May) they were added to help stack > with grsec and something else? Yes, they were added at the request of various people who wanted to stack digsig, owlsm, or custom LSMs. Not clear that they are important anymore given the generic LSM stacking support. > Would it make more sense to directly use cap_* as library functions, > and drop the whole ad-hoc internal stacking? Yes, if dummy is going to be killed entirely (as per the recently posted patches), then it makes sense to hardwire to using the cap_ functions. But I recall there are some issues with regard to properly falling back to just capabilities upon a runtime disable of SELinux - I'll look at your patch. -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Fri Aug 26 2005 - 04:10:49 PDT