Re: A basic question about the security_* hooks

[Serge E. Hallyn]

Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> Casey Schaufler <casey@xxxxxxxxxxxxxxxx> writes:
> 
> > I'm behind you 100%. Use the LSM. Your module is exactly why we have
> > the blessed thing. Once we get a collection of otherwise unrelated
> > LSMs the need for a stacker will be sufficiently evident that we'll
> > be able to get one done properly.
> 
> My immediate impression is that the big limitation today is the
> sharing of the void * security data members of strucutres.
> 
> Otherwise multiple security modules could be as simple as.
> list_for_each(mod)
>         if (mod->op(...) != 0)
> 		return -EPERM.
> 
> It isn't hard to multiplex a single data field into several with a
> nice little abstraction.
> 
> With my maintainer of a general purpose kernel hat on I would love to
> be able to build in all of the security modules and select at boot
> time which ones were enabled.

You're supposed to be able to do that now - use the "security=smack"
or whatever boot option (see security/security.c:choose_lsm() ).

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/