[rsbac] Thoughts on the "No Linux Security Modules framework" old
claims
Amon Ott
ao at rsbac.org
Thu Feb 24 09:28:38 CET 2005
On Donnerstag 24 Februar 2005 01:55, Kurt Garloff wrote:
> On Mon, Feb 21, 2005 at 11:19:16AM +0100, Amon Ott wrote:
> > Without rechecking the current state: At least the last time I
> > checked, the hardwired kernel capabilities were explicitely
disabled
> > when LSM got switched on. You had to use the capabilities LSM
module
> > instead, which was not able to stack. It always had to be the last
in
> > the chain, thus effectively sealing against any other LSM module
to
> > be loaded later.
>
> My patches posted Feb 13 fix this.
>
> If you apply them (and I hope Linus will), capabilities is default
> and you can replace that by loading an LSM. You can stack capability
> on top of the primary LSM again, if the latter supports this.
Well, not quite, although it is an improvement.
As long as the capabilities module does not support stacking, anybody
needing capabilities and e.g. on-access scanning with Dazuko will
have to unload this module, load another module, and reload it. This
creates a nasty race condition. BTW, what happens if capabilities
have been compiled static, not as a module?
AFAIK, not all LSM modules provide correct stacking. At least all
modules in the main line kernel should really support the official
way. But this is just a few cents from someone not using LSM...
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde abgetrennt...
Dateiname : nicht verf?gbar
Dateityp : application/pgp-signature
Dateigr??e : 189 bytes
Beschreibung: nicht verf?gbar
URL : http://www.rsbac.org/pipermail/rsbac/attachments/20050224/924ce552/attachment.bin
More information about the rsbac
mailing list