Re: [RFC][PATCH] Extended Attributes for Security Modules
richard offer (offer@sgi.com)
Thu, 17 Apr 2003 13:53:07 -0700
* frm chris@wirex.com "04/17/03 13:30:59 -0700" | sed '1,$s/^/* /'
*
** Stephen Smalley (sds@epoch.ncsc.mil) wrote:
*> On Wed, 2003-04-16 at 18:02, richard offer wrote:
*> > I can see your reasons for the single attribute (known quantity for
*> > production systems), but think its better at this stage to experiment
*> > with multiple attributes and see how people use them before forcing
*> > everyone to a single standard. It allows small steps rather than force
*> > everyone to make a single large one.
*>
*> Per-module attribute names create no incentive for the security module
*> writers to provide a consistent API and guarantees a forked userland.
*
* This is the core issue. Personally, I'd rather stick to simple strings
* and per-module attributes rooted at a common point. This is simplest
* for userspace tools. But the attribute namespace is effectively flat,
* so it's a question of simplicity for locating the attributes. A simple
* getxattr(2) vs. a listxattr(2) plus multiple getxattr(2). Unfortunately,
* this points at a single standard name I think...
Good point. Okay you've conviced me enough that while I don't agree more
than 51%, I'm at least going to shut up until the next time.
Would it make sense to have a single "backup/restore security label" tool
that is distributed alongside LSM rather than relying on each module writer
developing their own.
*
* thanks,
* -chris
richard.
--
-----------------------------------------------------------------------
Richard Offer Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/