On Wed, Aug 24, 2005 at 06:20:30PM -0700, Chris Wright wrote:
> static inline int security_ptrace (struct task_struct * parent, struct task_struct * child)
> {
> +#ifdef CONFIG_SECURITY
> return security_ops->ptrace (parent, child);
> +#else
> + return cap_ptrace (parent, child);
> +#endif
> +
> }
The discussion about composing with commoncap made me think about whether
this is the best way to do this. It seems that we're heading towards a
requirement that every module internally compose with commoncap.
If so (apart from the obvious correctness issues when they don't) it's work
for each module and composing N of them under stacker obviously creates
overhead.
Would the following not be a better approach?
static inline int security_ptrace (struct task_struct * parent, struct task_struct * child)
{
int ret;
ret=cap_ptrace (parent, child);
#ifdef CONFIG_SECURITY
if (!ret && security_ops->ptrace)
ret=security_ops->ptrace(parent, child);
#endif
return ret;
}
If every module is already internally composing, there shouldn't be a
performance cost for the additional branch inside the #ifdef.
I havn't looked at every single hook and it's users to see if this would
cause a problem. I noticed SELinux calls sec->capget() post rather than pre
it's processing which may be an issue.
Tony
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
|
|