Re: [RFC] [Patch 1/1] IBAC Patch

From: Mimi Zohar
Date: Mon Mar 12 2007 - 18:35:02 EST


On Thu, 2007-03-08 at 22:19 -0500, Valdis.Kletnieks@xxxxxx wrote:
> On Thu, 08 Mar 2007 17:58:16 EST, Mimi Zohar said:
> > This is a request for comments for a new Integrity Based Access
> > Control(IBAC) LSM module which bases access control decisions
> > on the new integrity framework services.
> >
> > (Hopefully this will help clarify the interaction between an LSM
> > module and LIM module.)
>
> OK, between this and the additional LIM hooks I didn't notice in an earlier
> patch, we're starting to see the API. The only problem is that although
> it may be the right API for *your* code, I suspect it's a non-starter without
> a discussion about whether it's the right *generic* API for an LIM (which will
> require at least one dramatic bun fight about what "Integrity" means).

Absolutely, we need to make sure that the set of LIM hooks is complete and that
nothing is missing in order to implement different types of LIM providers. I'm
copying the digsig mailing list for their input on requirements, which this API
might not satisfy or perhaps address.

> > Index: linux-2.6.21-rc3-mm2/security/ibac/Kconfig
>
> Minor congnitive-dissonance alert:
>
> > +config SECURITY_IBAC_BOOTPARAM
> > + bool "IBAC boot parameter"
> > + depends on SECURITY_IBAC
> > + default y
>
> > + If you are unsure how to answer this question, answer N.
>
> The 'default' should in general match the hint we give the user.

Oops, blush. It will obviously be corrected in the next IBAC patch
release.

Mimi Zohar

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/