Re: A basic question about the security_* hooks
From: Serge E. Hallyn
Date: Thu Dec 24 2009 - 19:06:24 EST
Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> Casey Schaufler <casey@xxxxxxxxxxxxxxxx> writes:
>
> > I'm behind you 100%. Use the LSM. Your module is exactly why we have
> > the blessed thing. Once we get a collection of otherwise unrelated
> > LSMs the need for a stacker will be sufficiently evident that we'll
> > be able to get one done properly.
>
> My immediate impression is that the big limitation today is the
> sharing of the void * security data members of strucutres.
>
> Otherwise multiple security modules could be as simple as.
> list_for_each(mod)
> if (mod->op(...) != 0)
> return -EPERM.
>
> It isn't hard to multiplex a single data field into several with a
> nice little abstraction.
>
> With my maintainer of a general purpose kernel hat on I would love to
> be able to build in all of the security modules and select at boot
> time which ones were enabled.
You're supposed to be able to do that now - use the "security=smack"
or whatever boot option (see security/security.c:choose_lsm() ).
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/