Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)

On 24/10/07 13:55, Adrian Bunk wrote:

quoted text

> On Wed, Oct 24, 2007 at 12:50:29PM +0100, Simon Arlott wrote: >> I currently have an LSM that only handles permissions for socket_bind >> and socket_listen, I load it and then "capability" as secondary on >> boot - but now I can't because the LSM framework is now just the LS >> framework. >> >> Why can't this "static LSM" change be a Kconfig option? >> (I don't want to have to maintain my own reverted copy of security/, >> or compile this into the kernel because then I can't ever modify and >> reload it without rebooting.) > > Let's start with the more important questions: > > Did you submit your LSM for inclusion into the kernel?

No, because the interface for configuring it would be rejected... I have a /proc file which I write a binary configuration file to. This works fine for me but it would take a lot of work to write a proper interface - which I'm still not sure how to do*. That doesn't solve the problem that it's no longer possible to reload LSM modules to make changes at runtime. Why should I have to reboot to change something from now on when it works ok? The reasoning seems to be based around a dislike of some out of tree modules. (Although it doesn't look like there's appropriate locking around the register/unregister process.) * (I've got a list of access rules which are scanned in order until one of them matches, and an array of one bit for every port for per-port default allow/deny - although the latter could be removed. http://svn.lp0.eu/simon/portac/trunk/) -- Simon Arlott -

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Eric Paris	[RFC 0/5] [TALPA] Intro to a linux interface for on access scanning
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Chris Mason	Btrfs v0.16 released
git:
Michael Hendricks	removing content from git history
Jakub Narebski	Re: VCS comparison table
Ken Pratt	pack operation is thrashing my server
Aubrey Li	git proxy issue
openbsd-misc:
Kevin Neff	Patching a SSH 'Weakness'
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Theo de Raadt	Re: dmesg IBM x3650 OpenBSD 4.3
F. Caulier	[Perl/locales] Warning about locales
linux-netdev:
KOSAKI Motohiro	[bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin"
Jens Axboe	Re: [BUG] New Kernel Bugs
Rémi	[PATCH 0/6] [RFC] Phonet pipes protocol (v2)
Oliver Hartkopp	Re: [RFC] Patch to option HSO driver to the kernel


Treason Uncloaked	2 hours ago	Linux kernel
Shared swap partition	13 hours ago	Linux general
high memory	2 days ago	Linux kernel
semaphore access speed	2 days ago	Applications and Utilities
the kernel how to power off the machine	2 days ago	Linux kernel
Easter Eggs in windows XP	2 days ago	Windows
Root password	2 days ago	Linux general
Where/when DNOTIFY is used?	2 days ago	Linux kernel
How to convert Linux Kernel built-in module into a loadable module	2 days ago	Linux kernel
Linux 2.6.24 and I/O schedulers	2 days ago	Linux kernel

Re: Linux Security Module Framework (Was: LSM conversion to static interface)

Online users