linux-security-module July 2008 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: Re: [rfc patch 2/2] security: remove dumm

Re: [rfc patch 2/2] security: remove dummy module

From: Casey Schaufler <casey_at_nospam>
Date: Fri Jul 04 2008 - 04:24:28 GMT
To: James Morris <jmorris@namei.org>


James Morris wrote:
> On Thu, 3 Jul 2008, Miklos Szeredi wrote:
>
>
>> From: Miklos Szeredi <mszeredi@suse.cz>
>>
>> Remove the dummy module and make the "capability" module the default.
>>
>> Compile and boot tested.
>>
>
> We still need a way to perform secondary stacking of the capability module
> (root_plug also, possibly).
>
> The current approach is that we use link order to ensure that capability
> is loaded last, and if it detects a primary LSM, mod_reg_security is
> called to see if that LSM wants to stack it.
>
> Now that capability will always be linked in, there might be a cleaner way
> to do this. e.g. the primary LSMs explicitly stack capability if needed.
>
>

Well, Smack is doing that now and SELinux does its bit with a "secondary" module that's only going to work if its capabilities so I don't see it as a short term issue. I am still hacking out ideas on how to properly separate the privilege and access control schemes, and I can't honestly says that I have a brilliant solution in my pocket. Stacking does not seem to be the right way to go when you're talking about privilege and access control as the two get intertwined. -- ---------------------- Casey Schaufler casey@schaufler-ca.com 650.906.1780 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html