Re: [RFC][PATCH} 2.6 and grsecurity
Valdis.Kletnieks_at_vt.edu
Date: 02/17/04
- Previous message: Richard B. Johnson: "Re: hard lock using combination of devices"
- In reply to: Martin Waitz: "Re: [RFC][PATCH} 2.6 and grsecurity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: Martin Waitz <tali@admingilde.org> Date: Tue, 17 Feb 2004 09:53:38 -0500
On Tue, 17 Feb 2004 15:23:33 +0100, Martin Waitz said:
> you could #define security_enable_* to 0 when CONFIG_SECURITY_*
> is disabled. thay way you don't need the ugly #ifdef in the .c file
Good point - as I mentioned to another person, I was trying to minimize the
code changes if the feature wasn't selected.
> on the other hand, why do one need a syscall anyway.
> only to justify the existence of some ugly lockdown mode?
For testing and backout - if for some odd reason you discover that it breaks
code, an 'echo 0 >' is a lot less disruptive than a full reboot.
The other reason is for distribution - if you're building a kernel for a bunch
of users, some of who disagree with it, you can ship it as the code is, and
then those who don't like one or two features can 'echo 0 >' onto those sysctls
and then 'echo 0 >' onto the one to force them read-only. Again, less hassle
than rebuilding a kernel with one CONFIG_SECURITY_WHATEVER turned off (and then
remember to re-rebuild on those machines each time a new kernel gets rolled out
- you can just leave the sysctl's in your /etc/rc.* and be happy).
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
- application/pgp-signature attachment: stored
- Previous message: Richard B. Johnson: "Re: hard lock using combination of devices"
- In reply to: Martin Waitz: "Re: [RFC][PATCH} 2.6 and grsecurity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
