On Fri, Jun 08, 2001 at 10:57:48AM -0400, jmjonesat_private wrote: > a global variable KERNELSECURITY in the "manner" of errno without > passing anything? Absolutely not. :) Think "SMP" and I think you will agree that this global value is probably not a wise move. :) (The problem continues to exist even on monoproc machines, but not as obviously broken.) > 5) For GODESSES'S SAKE, protect security_ops SOMEHOW, or this API is only > e pluribus unum and vulnerable to "total replacement" from ANYWHERE > in kernel space. Provide a "non-functional copy", provide a module > check for revelation, SOMETHING. The idea of a global export just > seems to introduce too many new vulnerabilities. I understand your concern. However, recall that this is the kernel we are talking about; any code loaded into the kernel is completely trusted. The assumption is made that kernel code is infallible and has no malicious purpose. Not exporting the security_ops structure is only an obscurity defense against code that is already assumed to do no harm. If there is kernel code you don't trust, either #ifdef it out, or refuse to load the module (if it comes in that form). Or, run a microkernel you do trust. :) _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 10:14:28 PDT