Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

---

• From: Stephen Smalley <sds@xxxxxxxxxxxxx>
• Date: Mon, 17 Apr 2006 13:03:24 -0400

---

On Mon, 2006-04-17 at 17:23 +0100, Christoph Hellwig wrote:

On Mon, Apr 17, 2006 at 12:06:53PM -0400, Stephen Smalley wrote:

I thought of this, see label_all_processes. Unfortunately I found no way of
actually doing this. I would need to iterate through the tasklist structure,
but the task_lock export is going to be removed from the kernel.

So, if built-in isn't an option, propose an interface to the core
security framework to allow security modules to perform such
initialization without needing to directly touch the lock themselves

NACK. The whole idea of loading security modules after bootup is flawed.
Any scheme that tries to enumerate process and other entinity after the
fact for access control purposes is fundamentally flawed. We're not going
to add helpers or exports for it, I'd rather remove the ability to build
lsm hook clients modular completely.

Or, better, remove LSM itself ;)

--
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Christoph Hellwig
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Arjan van de Ven

• References:
  • [RFC][PATCH 2/7] implementation of LSM hooks
    • From: Török Edwin
  • Re: [RFC][PATCH 2/7] implementation of LSM hooks
    • From: Stephen Smalley
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Török Edwin
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Stephen Smalley
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Christoph Hellwig

• Prev by Date: Re: [PATCH 00/05] robust per_cpu allocation for modules
• Next by Date: Re: [PATCH 5/5] Swapless V2: Revise main migration logic
• Previous by thread: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
• Next by thread: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks ... I would need to iterate through the tasklist structure, ... but the task_lock export is going to be removed from the kernel. ... So, if built-in isn't an option, propose an interface to the core ... The whole idea of loading security modules after bootup is flawed. ... (Linux-Kernel) Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel ... order to add flexibility, or do we keep things as simple as possible ... I want what we have for the rest of the kernel. ... to have that kind of cross pollination when using the LSM. ... the compiled in security modules I want to run, ... (Linux-Kernel) Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks ... So, if built-in isn't an option, propose an interface to the core ... The whole idea of loading security modules after bootup is flawed. ... lsm hook clients modular completely. ... the selinux functions in question when selinux is the security module of ... (Linux-Kernel)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)