Re: [PATCH] Smackv10: Smack rules grammar + their stateful parser

On Sun, Nov 04, 2007 at 12:28:48PM +, Pavel Machek wrote: Hi! Still to come: - Final cleanup of smack_load_write and smack_cipso_write. Hi All, After agreeing with Casey on the load input grammar yesterday, here's the final grammar and its parser (which needs more

Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)

Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Dolding wrote: On 11/1/07, Casey Schaufler [EMAIL PROTECTED] wrote: --- Peter Dolding [EMAIL PROTECTED] wrote: Posix capabilities predate SELinux. SELinux is not interested in Posix

Re: [PATCH] Smackv10: Smack rules grammar + their stateful parser

On Mon, 5 Nov 2007, Ahmed S. Darwish wrote: On Sun, Nov 04, 2007 at 12:28:48PM +, Pavel Machek wrote: Can we avoid string parsers in the kernel? Ok, Could someone suggest a better idea please ?. I personally think string parsers are *much* better than the alternatives (which

File descriptor object capability LSM module. Feasability?

A while ago I asked some questions on the subject of at* system calls on the list and got rather dismissive responses. After having given up on the whole concept for a while, the recent discussions on this list have made me put some more efford into trying to define more clearly what I would like

Re: [PATCH] Smackv10: Smack rules grammar + their stateful parser

On 11/5/07, Linus Torvalds [EMAIL PROTECTED] wrote: On Mon, 5 Nov 2007, Ahmed S. Darwish wrote: On Sun, Nov 04, 2007 at 12:28:48PM +, Pavel Machek wrote: Can we avoid string parsers in the kernel? Ok, Could someone suggest a better idea please ?. I personally think string

Re: File descriptor object capability LSM module. Feasability?

http://www.ibm.com/developerworks/linux/library/l-posixcap.html This covers part of what you are talking about. Least authority exec. Its one of the cures to the SUID bit problem. Wonder if the exec bit would be better done with a normal posix capabilities flag saying that this is on offer.

Re: [RFC PATCH] 64-bit-capabilities

Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge, Here is my latest iteration of the 64-bit support. This is basically it (sans porting it to Andrew's mm tree). Cheers Andrew -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6

Re: Defense in depth: LSM *modules*, not a static interface

Simon Arlott wrote: On Tue, October 30, 2007 07:14, Cliffe wrote: And while I acknowledge that many of these layers are currently buried within the kernel (netfilter...) they are security layers which in many cases would probably make sense as stackable security modules. Making the

Re: Problem with accessing namespace_sem from LSM.

On Tue, 06 Nov 2007 13:00:41 +0900 Tetsuo Handa [EMAIL PROTECTED] wrote: Hello. I found that accessing namespace_sem from security_inode_create() causes lockdep warning when compiled with CONFIG_PROVE_LOCKING=y . sounds like you have an AB-BA deadlock... -- If you want to reach me at

Re: [PATCH] Smackv10: Smack rules grammar + their stateful parser

On Sat, Nov 03, 2007 at 06:43:06PM +0200, Ahmed S. Darwish wrote: On Fri, Nov 02, 2007 at 01:50:55PM -0700, Casey Schaufler wrote: Still to come: - Final cleanup of smack_load_write and smack_cipso_write. Hi All, After agreeing with Casey on the load input grammar yesterday,

Re: Problem with accessing namespace_sem from LSM.

On 11/6/2007 1:11 PM, Arjan van de Ven wrote: On Tue, 06 Nov 2007 13:00:41 +0900 Tetsuo Handa [EMAIL PROTECTED] wrote: Hello. I found that accessing namespace_sem from security_inode_create() causes lockdep warning when compiled with CONFIG_PROVE_LOCKING=y . sounds like you have an AB-BA