Re: [RFC] A different implementation of LSM?

From: Chris Wright
Date: Mon Jan 03 2005 - 18:50:48 EST

Next message: Stas Sergeev: "[patch] x86: fix ESP corruption CPU bug"
Previous message: Bill Davidsen: "Re: starting with 2.7"
In reply to: Luca Falavigna: "[RFC] A different implementation of LSM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Luca Falavigna (dktrkranz@xxxxxxxxx) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> One of the biggest limitations of LSM is we can't implement more than
> one handler for each security hook at the same time.
> Is it advisable to revise the actual implementation, introducing a
> doubly linked list based mechanism (such as Netfilter implementation),
> or this is the best solution in order to limit overhead?

This is an intentional limitation. Arbitrary security models do not
compose well. And LSM framework allows modules to store state or label
information in kernel objects. So, the callout isn't the only spot that
would need chaining. Take a look at the lsm archive, this is being
worked on presently.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stas Sergeev: "[patch] x86: fix ESP corruption CPU bug"
Previous message: Bill Davidsen: "Re: starting with 2.7"
In reply to: Luca Falavigna: "[RFC] A different implementation of LSM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]