-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Serge E. Hallyn wrote: >> Yes. I'd thought about adding a security_ops->inode_change() or >> somesuch hook, but there were two reasons I didn't. First, this >> should be done whether or not the capability module is loaded in >> this kernel. If we're testing a kernel with only the dummy
I'm not sure I know what the right behavior is in this case. A system administration argument can be made for both behaviors. >> module, we still want this to happen. Second, only the capability >> module needs this so far. If more modules end up needing this then Yes, it appears that this is currently the case. However, there has to be a first user for everything! :-) >> we can make it more generic. But note that most security modules >> will likely label data the way selinux does, for classification for >> access control, rather than for granting privilege to unprivileged >> processes. My main concern is that when this change is merged into the kernel, we are likely to receive more (negative) feedback for a change that cannot be compiled out... Since the security module infrastructure was created exactly to abstract this sort of detail, and you have been able to add support so far without adding code outside the security/ directory, it feels, to me, like the 'right thing' to fold this change into the LSM framework too. > [EMAIL PROTECTED] linux-2.6]$ git diff --stat master > include/linux/binfmts.h | 3 +- > include/linux/capability.h | 48 +++++++--- > include/linux/security.h | 12 ++- > security/Kconfig | 10 ++ > security/capability.c | 4 + > security/commoncap.c | 209 > ++++++++++++++++++++++++++++++++++++++++---- > security/selinux/hooks.c | 12 +++ > 7 files changed, 263 insertions(+), 35 deletions(-) > [EMAIL PROTECTED] linux-2.6]$ Cheers Andrew -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGrol4+bHCR3gb8jsRAluGAKDaxOb/FLyCP45gShZgArxpl6jG1ACcDUGa pZjS1fwpaQKL8TgWXxAWWDk= =iCK6 -----END PGP SIGNATURE----- - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
