Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

---

• From: Arjan van de Ven <arjan@xxxxxxxxxxxxx>
• Date: Mon, 17 Apr 2006 19:08:26 +0200

---

On Mon, 2006-04-17 at 13:03 -0400, Stephen Smalley wrote:

On Mon, 2006-04-17 at 17:23 +0100, Christoph Hellwig wrote:

On Mon, Apr 17, 2006 at 12:06:53PM -0400, Stephen Smalley wrote:

I thought of this, see label_all_processes. Unfortunately I found no way of
actually doing this. I would need to iterate through the tasklist structure,
but the task_lock export is going to be removed from the kernel.

So, if built-in isn't an option, propose an interface to the core
security framework to allow security modules to perform such
initialization without needing to directly touch the lock themselves

NACK. The whole idea of loading security modules after bootup is flawed.
Any scheme that tries to enumerate process and other entinity after the
fact for access control purposes is fundamentally flawed. We're not going
to add helpers or exports for it, I'd rather remove the ability to build
lsm hook clients modular completely.

Or, better, remove LSM itself ;)

at minimum I can see the point to make the lsm hooks compile directly to
the selinux functions in question when selinux is the security module of
choice; that'll save quite a bit of performance already


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

---

• References:
  • [RFC][PATCH 2/7] implementation of LSM hooks
    • From: Török Edwin
  • Re: [RFC][PATCH 2/7] implementation of LSM hooks
    • From: Stephen Smalley
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Török Edwin
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Stephen Smalley
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Christoph Hellwig
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Stephen Smalley

• Prev by Date: Re: want to randomly drop packets based on percent
• Next by Date: Re: [PATCH 00/05] robust per_cpu allocation for modules
• Previous by thread: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
• Next by thread: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks ... I would need to iterate through the tasklist structure, ... but the task_lock export is going to be removed from the kernel. ... So, if built-in isn't an option, propose an interface to the core ... The whole idea of loading security modules after bootup is flawed. ... (Linux-Kernel) Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks ... but the task_lock export is going to be removed from the kernel. ... So, if built-in isn't an option, propose an interface to the core ... The whole idea of loading security modules after bootup is flawed. ... lsm hook clients modular completely. ... (Linux-Kernel)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Mailing-Lists  > Kernel  > 2006-04