Re: Sample SELinux hook function implementations

From: Stephen Smalley (sdsat_private)
Date: Wed May 09 2001 - 07:38:33 PDT

  • Next message: Valdis.Kletnieksat_private: "Re: More 2.4.4 benchmarks"

    On Thu, 3 May 2001, Chris Wright wrote:
    > This looks great!  I have changed the alloc and free routines to take
    > pointers to the full structure (like struct inode, or whatever), this ought
    > to help you out.  Your use of the security blob in the linux_binprm
    > structure is something I had forgotten about.  We were moving towards using
    > IS_ERR to know if the allocation failed.  But it looks like you are using the
    > void * just as a 32 bit security id.  It is possible that IS_ERR will
    > erroneously detect an allocation failure ;-(  task_ops->kill() now takes task,
    > info and sig.  (sorry i was meaning to merge that in earlier).  Looking forward
    > to your commentary ;-) 
    I would suggest a further revision to the alloc_security routines.
    Since a pointer to the full structure is passed to the routine,
    let the routine set the security field itself if it desires and
    have it merely return an integer status to indicate error conditions.
    That allows a security module to choose not to use the security field
    at all for some structures (e.g. not all modules may care about the
    struct super_block security field or the struct file security field),
    and it allows the module to use the field arbitrarily (e.g. using
    the void* to store an integer rather than a pointer).
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed May 09 2001 - 07:40:31 PDT