Re: A Comment from User Space

• Previous message: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• In reply to: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Next in thread: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Next in thread: richard offer: "Re: A Comment from User Space"
• Reply: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> "On an access error, the LSM will set the process external var 'errno'
> to EFASCIST, and fill in the structure pointed to by the user process
> 'struct *lsm_opaque_data *sec_err_explain' (after checking that the
> pointer is non-NIL and in the address space and all that)".
>

Sounds good (aside from the interesting return code designation), except
it raises the issue of Legacy Code that may not be prepared for a unique
return.  Perhaps simply a -EPERM (which may have a better chance of
already being managed (yes, I know, could very well be what you
intended).) 

What about a single, documented, standard call that may or may not return
anything useful, depending on the policy/module in place?  

lsm_advisory_type * lsm_error(lsm_advisory_type *lat);

which would fill in the structure (or whatever) with something standardly
meaningful or just NULL or "I COULD TELL YOU, BUT THEN I'D HAVE TO
KILL YOU" or the equivalent?

> That way, for instance, SELinux could fill in the pointer to pass info
> back to /bin/passwd if it desired, and RBSAC could fill it in as it
> needed, and so on.  We *may* want to have a 2-4 byte magic cookie
> at the front, identifying the LSM in effect, so programs written to
> support multiple LSM can identify which one is being used.

Don't like.  Don't want to have to write 30 different handlers for 30 
different LSMs... want them to look the SAME.

J. Melvin Jones

|>------------------------------------------------------
||  J. MELVIN JONES            jmjonesat_private 
|>------------------------------------------------------
||  Microcomputer Systems Consultant  
||  Software Developer
||  Web Site Design, Hosting, and Administration
||  Network and Systems Administration
|>------------------------------------------------------
||  http://www.jmjones.com/
|>------------------------------------------------------




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: jmjonesat_private: "Re: A Comment from User Space"
• Previous message: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• In reply to: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Next in thread: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Next in thread: richard offer: "Re: A Comment from User Space"
• Reply: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 12:11:03 PDT