Re: [PATCH 2/2] Version 9 (2.6.24-rc1) Smack: Simplified Mandatory Access Control Kernel

2007-10-27 Thread Casey Schaufler
--- Al Viro <[EMAIL PROTECTED]> wrote: > On Sat, Oct 27, 2007 at 11:01:12AM +0200, Ahmed S. Darwish wrote: > > The problem here (As discussed in private mails) is that the for loop > > assumes that the beginning of given user-space buffer is the beginning > > of a rule. This leads to situations

Re: eradicating out of tree modules (was: Linux Security *Module* Framework)

2007-10-27 Thread Adrian Bunk
On Sat, Oct 27, 2007 at 04:07:41PM +0200, Tilman Schmidt wrote: > Greg KH schrieb: > > On Fri, Oct 26, 2007 at 11:46:39AM +0200, Tilman Schmidt wrote: > >> [...] I still think there will always be > >> a number of external modules that cannot be merged right now or at > >> all, and deliberately mak

Re: eradicating out of tree modules (was: : Linux Security *Module* Framework)

2007-10-27 Thread Adrian Bunk
On Sat, Oct 27, 2007 at 04:47:15PM +0200, Tilman Schmidt wrote: > Adrian Bunk schrieb: > > On Fri, Oct 26, 2007 at 11:46:39AM +0200, Tilman Schmidt wrote: > >> On Thu, 25 Oct 2007 19:56:47 -0700, Greg KH wrote: > >>> On Fri, Oct 26, 2007 at 01:09:14AM +0200, Tilman Schmidt wrote: > [...] Once

Re: [PATCH 2/2] Version 9 (2.6.24-rc1) Smack: Simplified Mandatory Access Control Kernel

2007-10-27 Thread Al Viro
On Sat, Oct 27, 2007 at 11:01:12AM +0200, Ahmed S. Darwish wrote: > The problem here (As discussed in private mails) is that the for loop > assumes that the beginning of given user-space buffer is the beginning > of a rule. This leads to situations where the rule becomes "ecret 20", > or "cret 20"

Re: [PATCH 2/2] Version 9 (2.6.24-rc1) Smack: Simplified Mandatory Access Control Kernel

2007-10-27 Thread Ahmed S. Darwish
> +/** > + * smk_write_cipso - write() for /smack/cipso > + * @filp: file pointer, not actually used > + * @buf: where to get the data from > + * @count: bytes sent > + * @ppos: where to start > + * > + * Returns number of bytes written or error code, as appropriate > + */ > +static ssize_t smk_wri

Re: [AppArmor 00/45] AppArmor security module overview

2007-10-27 Thread Christoph Hellwig
On Fri, Oct 26, 2007 at 07:37:21AM -0700, Arjan van de Ven wrote: > before going into the LSM / security side of things, I'd like to get > the VFS guys to look at your VFS interaction code. It's been NACKed a few times, and just reposting it won't help. - To unsubscribe from this list: send the l

Re: [PATCH 2/2] Version 9 (2.6.24-rc1) Smack: Simplified Mandatory Access Control Kernel

2007-10-27 Thread Casey Schaufler
--- "Ahmed S. Darwish" <[EMAIL PROTECTED]> wrote: > Hi Casey, > > Casey <[EMAIL PROTECTED]> wrote: > > > > This version is again aimed at addressing Al Viro's issues in > > smackfs. Ahmed Darwish has again contributed in the repair of the > > locking issues there. The move to 2.6.24 was also an

Re: [PATCH 0/2] Version 9 (2.6.24-rc1) Smack: Simplified Mandatory Access Control Kernel

2007-10-27 Thread Casey Schaufler
--- Joshua Brindle <[EMAIL PROTECTED]> wrote: > Casey Schaufler wrote: > > The Smack patch and Paul Moore's netlabel API patch, > > together for 2.6.24-rc1. Paul's changes are identical > > to the previous posting, but it's been a while so they're > > here again. > > > > The sole intent of change

Re: eradicating out of tree modules

2007-10-27 Thread Stefan Richter
Tilman Schmidt wrote about: > breaking interfaces they rely on for no other "very good > reason" than to discourage out-of-tree development? How often did this happen yet? -- Stefan Richter -=-=-=== =-=- ==-== http://arcgraph.de/sr/ - To unsubscribe from this list: send the line "unsubscribe

Re: [PATCH 2/2] Version 9 (2.6.24-rc1) Smack: Simplified Mandatory Access Control Kernel

2007-10-27 Thread Ahmed S. Darwish
Hi Casey, Casey <[EMAIL PROTECTED]> wrote: > > This version is again aimed at addressing Al Viro's issues in > smackfs. Ahmed Darwish has again contributed in the repair of the > locking issues there. The move to 2.6.24 was also an important > release incentive. > My patches mentiond above is not

eradicating out of tree modules (was: : Linux Security *Module* Framework)

2007-10-27 Thread Tilman Schmidt
Adrian Bunk schrieb: > On Fri, Oct 26, 2007 at 11:46:39AM +0200, Tilman Schmidt wrote: >> On Thu, 25 Oct 2007 19:56:47 -0700, Greg KH wrote: >>> On Fri, Oct 26, 2007 at 01:09:14AM +0200, Tilman Schmidt wrote: [...] Once you admit that there is code which, for very good reasons, won't ever

Re: Linux Security *Module* Framework (Was: LSM conversion to static interface

2007-10-27 Thread Tetsuo Handa
Hello. Simon Arlott wrote: > I currently have an LSM that only handles permissions for socket_bind > and socket_listen, I load it and then "capability" as secondary on > boot - but now I can't because the LSM framework is now just the LS > framework. I think there are two other problems regarding

eradicating out of tree modules (was: Linux Security *Module* Framework)

2007-10-27 Thread Tilman Schmidt
Greg KH schrieb: > On Fri, Oct 26, 2007 at 11:46:39AM +0200, Tilman Schmidt wrote: >> [...] I still think there will always be >> a number of external modules that cannot be merged right now or at >> all, and deliberately making life difficult for out-of-tree code >> maintainers in order to coerce

Re: [PATCH 0/2] Version 9 (2.6.24-rc1) Smack: Simplified Mandatory Access Control Kernel

2007-10-27 Thread Joshua Brindle
Casey Schaufler wrote: The Smack patch and Paul Moore's netlabel API patch, together for 2.6.24-rc1. Paul's changes are identical to the previous posting, but it's been a while so they're here again. The sole intent of change has been to address locking and/or list processing issues. Please don'

Re: [PATCH RFC 2/2] capabilities: implement 64-bit capabilities (v2)

2007-10-27 Thread Andrew Morgan
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge E. Hallyn wrote: > Unfortunately libcap apparently does not set the > capability_version on the cap_t into a capget(). So > to support old libcap, if the user calls capget without > asking for 64bit caps, we assume 32-bit caps. Otherwise > we g