On Mon, 2006-04-17 at 13:03 -0400, Stephen Smalley wrote:
> On Mon, 2006-04-17 at 17:23 +0100, Christoph Hellwig wrote:
> > On Mon, Apr 17, 2006 at 12:06:53PM -0400, Stephen Smalley wrote:
> > > > I thought of this, see label_all_processes. Unfortunately I found no way of
> > > > actually doing this. I would need to iterate through the tasklist structure,
> > > > but the task_lock export is going to be removed from the kernel.
> > >
> > > So, if built-in isn't an option, propose an interface to the core
> > > security framework to allow security modules to perform such
> > > initialization without needing to directly touch the lock themselves
> >
> > NACK. The whole idea of loading security modules after bootup is flawed.
> > Any scheme that tries to enumerate process and other entinity after the
> > fact for access control purposes is fundamentally flawed. We're not going
> > to add helpers or exports for it, I'd rather remove the ability to build
> > lsm hook clients modular completely.
>
> Or, better, remove LSM itself ;)
>
at minimum I can see the point to make the lsm hooks compile directly to
the selinux functions in question when selinux is the security module of
choice; that'll save quite a bit of performance already
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]