[ubuntu-hardened] Fixed some bugs in the postinst and postrm
scripts of vSecurity packages, merged amd64 changes
Magnus Therning
magnus at therning.org
Mon Oct 17 04:47:54 CDT 2005
On Sun, Oct 16, 2005 at 08:43:31PM +0200, Lorenzo Hernández García-Hierro wrote:
>On dom, 2005-10-16 at 20:06 +0200, Herman Bos wrote:
>> I'm not totally into it but if I may ask what are the consequences of
>> disabling the capabilities module? It sounds pretty bad.
>
>We are just disabling it of using a slot within the LSM framework, not
>removing capabilities support at all. We just end up using the hook
>(capable()) within vSecurity instead of the one inside 'capability'
>LKM, getting a free slot for our module and hence being able to load
>it.
A question: when you're talking about "a slot within LSM" what do you
mean?
My (possibly outdated) understanding of LSM was that from the kernel's
POV there can be only one LSM. However there is a way of chaining LSMs,
but it's at the discretion of the one LSM. Actually everything is at the
discretion of this one LSM, calling (and combining results from) the
other LSMs and managing module-specific state data.
There was some work done on using a hash table for the module-specific
state data, but I haven't followed the kernel lists so I don't know what
happened to it.
/M
--
Magnus Therning (OpenPGP: 0xAB4DFBA4)
magnus at therning.org
http://therning.org/magnus
Software is not manufactured, it is something you write and publish.
Keep Europe free from software patents, we do not want censorship
by patent law on written works.
rogramming is an art form that fights back.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20051017/ed456430/attachment.pgp
More information about the ubuntu-hardened
mailing list