Philippe Biondi wrote: >The problems that it raise and that we must resolve : >* How to attach AC data to processes ? >* How can we guarantee that we did not forget a check point ? >* How can we manage security policies changes/cohabitation ? >[...] Another big problem is the data persistence. IMHO, these are excellent questions! I've mentioned most of my substantive ideas to address these issues in other emails, so I won't repeat them here. However, I'll touch on the first question you raised. It seems that there's a natural way to attach state to a process. Add a 'security_state' field to the task_struct which contains a pointer to a linked list of 'void *' pointers (one per module interested in this process). Allow modules to register hooks on process creation and deletion to allocate and de-allocate any memory needed. Provide a way for a module to get and set a 'void *' pointer to be associated with a process. What do you think of this rough approach?
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:26 PDT