Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

From: Christoph Hellwig
Date: Mon Apr 17 2006 - 12:23:51 EST

Next message: Thiago Galesi: "[PATCH] Remove unnecessary kmalloc/kfree calls in mtdchar"
Previous message: Stephen Hemminger: "Re: want to randomly drop packets based on percent"
In reply to: Stephen Smalley: "Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks"
Next in thread: Stephen Smalley: "Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 17, 2006 at 12:06:53PM -0400, Stephen Smalley wrote:
> > I thought of this, see label_all_processes. Unfortunately I found no way of
> > actually doing this. I would need to iterate through the tasklist structure,
> > but the task_lock export is going to be removed from the kernel.
>
> So, if built-in isn't an option, propose an interface to the core
> security framework to allow security modules to perform such
> initialization without needing to directly touch the lock themselves

NACK. The whole idea of loading security modules after bootup is flawed.
Any scheme that tries to enumerate process and other entinity after the
fact for access control purposes is fundamentally flawed. We're not going
to add helpers or exports for it, I'd rather remove the ability to build
lsm hook clients modular completely.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thiago Galesi: "[PATCH] Remove unnecessary kmalloc/kfree calls in mtdchar"
Previous message: Stephen Hemminger: "Re: want to randomly drop packets based on percent"
In reply to: Stephen Smalley: "Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks"
Next in thread: Stephen Smalley: "Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]