Re: intercepting system calls

• Previous message: David Wagner: "Re: GACI item list - to give some items for discussion"
• In reply to: Casey Schaufler: "Re: intercepting system calls"
• Next in thread: Casey Schaufler: "Re: intercepting system calls"
• Next in thread: David Wagner: "Re: intercepting system calls"
• Reply: Casey Schaufler: "Re: intercepting system calls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Casey Schaufler  wrote:
>In some implementations of Mandatory Access Control
>checks are done on every operation just in case the
>MAC label changed after the open.

I see.  Suppose our hooks had the following properties:
  1. For modules that mediate every read()/write() call,
     they can do so, but performance might be affected due
     to the unavoidable overhead of a function call.
  2. Modules that don't want to mediate any read()/write()
     calls won't incur any noticeable performance overhead.
If both properties could be achieved with some mechanism,
would this be sufficient to support these MAC applications?

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Greg KH: "Re: The bootstrap process"
• Previous message: David Wagner: "Re: GACI item list - to give some items for discussion"
• In reply to: Casey Schaufler: "Re: intercepting system calls"
• Next in thread: Casey Schaufler: "Re: intercepting system calls"
• Next in thread: David Wagner: "Re: intercepting system calls"
• Reply: Casey Schaufler: "Re: intercepting system calls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 16:23:57 PDT