Re: A basic question about the security_* hooks

From: Eric W. Biederman
Date: Thu Dec 24 2009 - 07:53:47 EST


Casey Schaufler <casey@xxxxxxxxxxxxxxxx> writes:

> I'm behind you 100%. Use the LSM. Your module is exactly why we have
> the blessed thing. Once we get a collection of otherwise unrelated
> LSMs the need for a stacker will be sufficiently evident that we'll
> be able to get one done properly.

My immediate impression is that the big limitation today is the
sharing of the void * security data members of strucutres.

Otherwise multiple security modules could be as simple as.
list_for_each(mod)
if (mod->op(...) != 0)
return -EPERM.

It isn't hard to multiplex a single data field into several with a
nice little abstraction.

With my maintainer of a general purpose kernel hat on I would love to
be able to build in all of the security modules and select at boot
time which ones were enabled.

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/