On Thu, 10 May 2001, Greg KH wrote: > > Are there plans to hook syscalls? If not, I can make a very strong > > argument to do so. Let me know if you want to hear it. > > Do you want to hook syscalls in a different manner than the current > ability to hook them (messing with the syscall table which LSM doesn't > effect)? Or are you wanting a hook in the security table structure for > every individual call? It would be nice if the LSM project provided a way to hook arbitrary syscalls (see other mail). Of course, syscall latency is a concern, so in default form, this would entail checking a pointer for nullness, and finding a null pointer, so not doing anything. > The current scheme is to control access to the kernel's core data > structures. Some of this requires hooks in syscalls, other places this > does not (the whole networking hook system will not be near the single > network syscall, from what I think Chris W. has in mind.) I think the most important "object" to hook in the networking land is the "network interface". Quick cheesy example: - eth0: labelled as low security - slip0: labelled as high security /etc/very/secret: labelled as sensitive, high security process pid 100: has /etc/very/secret open, marked as sensitive process pid 100 does socket() process pid 100 tries to bind to IP address owned by eth0 => EPERM!! Cheers Chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 17:31:25 PDT