David Wagner wrote: > Seth Arnold wrote: > >What would happen to the security_state field in the task_struct for > >processes already running before the module is loaded? Would the module, > >during load, iterate through all processes and update their security > >pointers? Would the module, during unload (is unloading something we > >really want to support? :), iterate through all processes and return the > >security handler information a null or default state? > > I would propose to let this be module specific. > > If the module wants to know about pre-existing processes, > let the module do this iteration when it is initialized and > attach to process it cares about. If it doesn't need to know > about pre-existing processes, it can omit this step. I agree. I suspect that the common case will be for the loaded module to do nothing to existing processes: if its important, then configure the system for the module to load early, or compile it into the kernel. To allow modules that want to do this to do it, we'll need to expose the task list, so that iteration can happen. But we'll need to do that anyway, because some security policies will depend on quantified assertions like "For all processes ..." or "There does (not) exist a process that ..." Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sat Apr 14 2001 - 12:17:43 PDT