Re: [RFC] LSM changes for 2.5.38

Greg KH (greg@kroah.com)
Fri, 27 Sep 2002 09:55:56 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andi Kleen: "Re: [PATCH] Put modules into linear mapping"
Previous message: Christoph Hellwig: "Re: [RFC] LSM changes for 2.5.38"

On Fri, Sep 27, 2002 at 05:48:49PM +0100, Christoph Hellwig wrote:
> > capable is needed to be checked, as we are not modifying the existing
> > permission logic.
>
> I odn't think it makes sense to have two security checks that both
> end up in the LSM code after each other..

For cases like the module_* hooks, and the other examples you pointed
out, I agree.

For other cases, capable() is just not fine grained enough to actually
know what is going on (like CAP_SYS_ADMIN). In those cases you need an
extra hook to determine where in the kernel you are.

thanks,

greg k-h
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: [PATCH] Put modules into linear mapping"
Previous message: Christoph Hellwig: "Re: [RFC] LSM changes for 2.5.38"