Re: A Comment from User Space

• Previous message: jmjonesat_private: "Re: A Comment from User Space"
• In reply to: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Next in thread: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Next in thread: richard offer: "Re: A Comment from User Space"
• Reply: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Reply: David Wagner: "Re: A Comment from User Space"
• Reply: jmjonesat_private: "Re: A Comment from User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On Mon, 23 Apr 2001 Valdis.Kletnieksat_private wrote:

W>extern int errno, lsm_errno;
W>
W>   rc = some_syscall(...);
W>   if (rc) {
W>      if (errno = EPERM) {
W>	 lsm_perror(lsm_errno);
W>	 }
W>      else perror();
W>   }
W>
W>And if a LSM wants to be opaque, it can return an lsm_errno that
W>causes lsm_perror() to return 'Permission Denied' same as perror.  If

this looks great for the userspace, but we have a problem with returning
one more return value. Of course, this can be handled by libc, by defining
more EPERM return codes.

W>it wants to be very wordy, it can pass back a 32-bit value that
W>lsm_perror can send across an IPC to a daemon process that looks up
W>the event in a journal and hands back a string saying "denied because
W>this process is in user class FOOBAR and has already used its limit of
W>mmap() calls per 5-minute interval".

I personally don't like this approach. It's not very clean unix concept,
as the "core" library calls usually do the job themselves. And this only
moves the problem to the daemon.

The real problem is in the kernel-userspace communication. In normal UNIX
world, the communication is reduced to the value, which is "well-known"
and is in one header, common for kernel and user-space. I'd like not to
introduce something new, or break something, which looks like standard.
So I propose (using the above semantics) this approach:

kernel can return few errno codes, lets say they are in some interval
and each security module has some offset to this pool of errnos.
libc wraps them into retval=-1, errno=EPERM and lsm_errno=something.

Offsets are statically allocated in the time of installing this module (the
source form of it), and the strings (for lsm_perror libc call) are added
at the same time to some configuration file (/etc/lsm_errno?). Or we should
just enable "includes" in this file and include from real headers of these
modules. If the call 'lsm_perror' cannot find the entry in this file, it just
prints some default string and exits.

This one does not require a daemon (which must be able to communicate with
all processes, so it introduces a security risk) and does the same job;
it's transparent and easy to localize.

Regards,

	Milan Pikula

--
Milan Pikula, WWW. Finger me for Geek Code.
http://fornax.elf.stuba.sk/~www, wwwat_private
.. dajte mi pevnu linku a pohnem zemegulou ..



_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Chris Wright: "Re: A Comment from User Space"
• Previous message: jmjonesat_private: "Re: A Comment from User Space"
• In reply to: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Next in thread: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Next in thread: richard offer: "Re: A Comment from User Space"
• Reply: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Reply: David Wagner: "Re: A Comment from User Space"
• Reply: jmjonesat_private: "Re: A Comment from User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 12:59:05 PDT