Re: [RFC] Virtualization steps

From: Chris Wright
Date: Wed Mar 29 2006 - 17:48:30 EST

Next message: Dave Jones: "Re: [PATCH] powerpc: Move pSeries firmware feature setup into platforms/pseries"
Previous message: Peter Williams: "Re: [PATCH] sched: smpnice try to wakeup modification"
In reply to: Sam Vilain: "Re: [RFC] Virtualization steps"
Next in thread: Sam Vilain: "Re: [RFC] Virtualization steps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Sam Vilain (sam@xxxxxxxxxx) wrote:
> extern struct security_operations *security_ops; in
> include/linux/security.h is the global I refer to.

OK, I figured that's what you meant. The top-level ops are similar in
nature to inode_ops in that there's not a real compelling reason to make
them per process. The process context is (usually) available, and more
importantly, the object whose access is being mediated is readily
available with its security label.

> There is likely to be some contention there between the security folk
> who probably won't like the idea that your security module can be
> different for different processes, and the people who want to provide
> access to security modules on the systems they want to host or consolidate.

I think the current setup would work fine. It's less likely that we'd
want a separate security module for each container than simply policy
that is container aware.

thanks,
-chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dave Jones: "Re: [PATCH] powerpc: Move pSeries firmware feature setup into platforms/pseries"
Previous message: Peter Williams: "Re: [PATCH] sched: smpnice try to wakeup modification"
In reply to: Sam Vilain: "Re: [RFC] Virtualization steps"
Next in thread: Sam Vilain: "Re: [RFC] Virtualization steps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]