From: Randy Dunlap <rdunlap@infradead.org>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
LKLM <linux-kernel@vger.kernel.org>,
SE Linux <selinux@tycho.nsa.gov>,
James Morris <jmorris@namei.org>,
John Johansen <john.johansen@canonical.com>,
Eric Paris <eparis@redhat.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v13 9/9] LSM: Documentation and cleanup
Date: Tue, 23 Apr 2013 12:02:32 -0700 [thread overview]
Message-ID: <5176DAC8.8040401@infradead.org> (raw)
In-Reply-To: <5176B12C.4000506@schaufler-ca.com>
On 04/23/13 09:05, Casey Schaufler wrote:
> Subject: [PATCH v13 9/9] LSM: Documentation and cleanup
>
> Add a description of the ways secuirty modules work now.
security
> Remove security/capability.c as it is no longer used.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> ---
> Documentation/security/LSM.txt | 39 +-
> security/Makefile | 3 +-
> security/capability.c | 1104 ----------------------------------------
> 3 files changed, 31 insertions(+), 1115 deletions(-)
>
> diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt
> index c335a76..f979e00 100644
> --- a/Documentation/security/LSM.txt
> +++ b/Documentation/security/LSM.txt
> @@ -9,18 +9,39 @@ CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the
> "security=..." kernel command line argument, in the case where multiple
> LSMs were built into a given kernel.
>
> +Both CONFIG_DEFAULT_SECURITY and the "security=" option take a comma
> +separated list of LSM names. The LSM hooks are invoked in the order
> +specified. All hooks provided are invoked regardless of the outcome
> +of preceeding hooks. Hooks the return success or failure results
preceding . ^^^confusing sentence structure^^^
> +return success if all of the LSM provided hooks succeed and the error
> +code of the last failing hook on error.
> +
> +The /proc filesystem attribute interface supports files from a time
> +when only one LSM could be used at a time. CONFIG_PRESENT_SECURITY
> +defines which LSM uses these interfaces. There are also LSM identified
> +interfaces which should be used in preference to the undifferentiated
> +interfaces.
--
~Randy
prev parent reply other threads:[~2013-04-23 19:03 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5176ABB7.5080300@schaufler-ca.com>
2013-04-23 16:04 ` [PATCH v13 0/9] LSM: Multiple concurrent LSMs Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-24 18:57 ` Paul Moore
2013-04-24 18:57 ` Paul Moore
2013-04-24 20:22 ` Casey Schaufler
2013-04-24 20:22 ` Casey Schaufler
2013-04-24 21:15 ` Paul Moore
2013-04-24 21:15 ` Paul Moore
2013-04-24 23:00 ` John Johansen
2013-04-25 0:43 ` Casey Schaufler
2013-04-25 0:43 ` Casey Schaufler
2013-04-25 14:16 ` Tetsuo Handa
2013-04-25 15:01 ` Paul Moore
2013-04-25 15:01 ` Paul Moore
2013-04-25 18:09 ` Casey Schaufler
2013-04-25 18:09 ` Casey Schaufler
2013-04-25 19:14 ` Paul Moore
2013-04-25 19:14 ` Paul Moore
2013-04-25 20:21 ` Casey Schaufler
2013-04-25 20:21 ` Casey Schaufler
2013-04-25 21:05 ` Kees Cook
2013-04-25 21:26 ` Paul Moore
2013-04-25 21:26 ` Paul Moore
2013-04-23 16:04 ` [PATCH v13 1/9] LSM: Security blob abstraction Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 2/9] LSM: Complete conversion to kill_pid_info_as_cred Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 3/9] LSM: Multiple concurrent secids Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 4/9] LSM: Multiple security context maintenance Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 5/9] LSM: Networking component isolation Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-24 18:51 ` Paul Moore
2013-04-24 18:51 ` Paul Moore
2013-04-24 19:09 ` Casey Schaufler
2013-04-24 19:09 ` Casey Schaufler
2013-04-24 21:04 ` Paul Moore
2013-04-24 21:04 ` Paul Moore
2013-04-23 16:04 ` [PATCH v13 6/9] LSM: Additional interfaces in /proc/pid/attr Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 7/9] LSM: remove Yama special case stacking Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 20:12 ` Kees Cook
2013-04-23 16:04 ` [PATCH v13 8/9] LSM: Hook list management Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:05 ` [PATCH v13 9/9] LSM: Documentation and cleanup Casey Schaufler
2013-04-23 16:05 ` Casey Schaufler
2013-04-23 19:02 ` Randy Dunlap [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5176DAC8.8040401@infradead.org \
--to=rdunlap@infradead.org \
--cc=casey@schaufler-ca.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.