Re: A Comment from User Space

• Previous message: Chris Wright: "Re: A Comment from User Space"
• In reply to: Crispin Cowan: "Re: A Comment from User Space"
• Next in thread: Stephen Smalley: "Re: A Comment from User Space"
• Next in thread: David Wagner: "Re: A Comment from User Space"
• Reply: Stephen Smalley: "Re: A Comment from User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Crispin Cowan  wrote:
>SubDomain adds only one system call, but it needs to be fast.  [...]
>The canonical example is to have a PERL script being
>interpreted by mod_perl within an Apache process to run with different
>permissions than the Apache process itself.

Well, using a /proc interface takes at worst only two syscalls:
  fd = open("/proc/subdomain", O_RDWR);
  write(fd, "change_hat foo_perm ...", ...);
If you cache the fd, it takes only one syscall.  So, while I cannot
guarantee that it will be fast enough for your purposes, I would expect
that it most likely is about as good as a syscall.  Without measurements
to the contrary, I would expect a difficult time getting acceptance
from linux-kernel residents (although that's just a guess).

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: David Wagner: "Re: A Comment from User Space"
• Previous message: Chris Wright: "Re: A Comment from User Space"
• In reply to: Crispin Cowan: "Re: A Comment from User Space"
• Next in thread: Stephen Smalley: "Re: A Comment from User Space"
• Next in thread: David Wagner: "Re: A Comment from User Space"
• Reply: Stephen Smalley: "Re: A Comment from User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 11:45:47 PDT