Re: A basic question about the security_* hooks

From: Eric W. Biederman
Date: Thu Dec 24 2009 - 07:53:47 EST

Next message: Peter Zijlstra: "Re: [PATCH 7/6][RFC] sched: unify load_balance{,_newidle}()"
Previous message: Darren Jenkins: "drivers/gpu/drm/radeon/radeon_fence.c: move a dereference belowthe NULL test"
In reply to: Samir Bellabes: "Re: A basic question about the security_* hooks"
Next in thread: Tetsuo Handa: "Re: A basic question about the security_* hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Casey Schaufler <casey@xxxxxxxxxxxxxxxx> writes:

> I'm behind you 100%. Use the LSM. Your module is exactly why we have
> the blessed thing. Once we get a collection of otherwise unrelated
> LSMs the need for a stacker will be sufficiently evident that we'll
> be able to get one done properly.

My immediate impression is that the big limitation today is the
sharing of the void * security data members of strucutres.

Otherwise multiple security modules could be as simple as.
list_for_each(mod)
if (mod->op(...) != 0)
return -EPERM.

It isn't hard to multiplex a single data field into several with a
nice little abstraction.

With my maintainer of a general purpose kernel hat on I would love to
be able to build in all of the security modules and select at boot
time which ones were enabled.

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Zijlstra: "Re: [PATCH 7/6][RFC] sched: unify load_balance{,_newidle}()"
Previous message: Darren Jenkins: "drivers/gpu/drm/radeon/radeon_fence.c: move a dereference belowthe NULL test"
In reply to: Samir Bellabes: "Re: A basic question about the security_* hooks"
Next in thread: Tetsuo Handa: "Re: A basic question about the security_* hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]