Re: [RFC][PATCH] Extended Attributes for Security Modules

Chris Wright (chris@wirex.com)
Thu, 17 Apr 2003 13:30:59 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Karim Yaghmour: "Re: [patch] printk subsystems"
Previous message: Dave Olien: "Re: [PATCH] DAC960_Release bug (2.4.x)"
In reply to: Stephen Smalley: "Re: [RFC][PATCH] Extended Attributes for Security Modules"

* Stephen Smalley (sds@epoch.ncsc.mil) wrote:
> On Wed, 2003-04-16 at 18:02, richard offer wrote:
> > I can see your reasons for the single attribute (known quantity for
> > production systems), but think its better at this stage to experiment with
> > multiple attributes and see how people use them before forcing everyone to
> > a single standard. It allows small steps rather than force everyone to make
> > a single large one.
>
> Per-module attribute names create no incentive for the security module
> writers to provide a consistent API and guarantees a forked userland.

This is the core issue. Personally, I'd rather stick to simple strings
and per-module attributes rooted at a common point. This is simplest
for userspace tools. But the attribute namespace is effectively flat,
so it's a question of simplicity for locating the attributes. A simple
getxattr(2) vs. a listxattr(2) plus multiple getxattr(2). Unfortunately,
this points at a single standard name I think...

thanks,
-chris

-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: Karim Yaghmour: "Re: [patch] printk subsystems"
Previous message: Dave Olien: "Re: [PATCH] DAC960_Release bug (2.4.x)"
In reply to: Stephen Smalley: "Re: [RFC][PATCH] Extended Attributes for Security Modules"