On Mon, 23 Apr 2001 22:02:52 +0200, Milan Pikula - WWW said: > kernel can return few errno codes, lets say they are in some interval > and each security module has some offset to this pool of errnos. > libc wraps them into retval=-1, errno=EPERM and lsm_errno=something. Right. That's what I said, or pretty close. > Offsets are statically allocated in the time of installing this module (the > source form of it), and the strings (for lsm_perror libc call) are added > at the same time to some configuration file (/etc/lsm_errno?). Or we should > just enable "includes" in this file and include from real headers of these > modules. If the call 'lsm_perror' cannot find the entry in this file, it just > prints some default string and exits. > > This one does not require a daemon (which must be able to communicate with > all processes, so it introduces a security risk) and does the same job; > it's transparent and easy to localize. That's another implementation of lsm_perror(). The point is that by specifying retval, errno, and lsm_errno, we've *finished* the kernel interface. A given LSM can ignore lsm_errno, or use a string-table lookup, or an IPC, or whatever *else* it wants to in the lsm_perror() handling *in user space, after the fact*. /Valdis
This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 13:18:03 PDT