A bit long, but I'm trying... On Tue, 3 Jul 2001, Stephen Smalley wrote: > The basic idea was to provide a module and utility that could be used > to verify that for each system operation, the right set of hooks was > called and the kernel responded properly when those hooks returned > errors. Otherwise, it would be very easy for a hook call to become > "lost" or bypassed when a set of updates were made to the kernel. > I think the idea was proposed by Steve Kramer of HP. Ouch! Big Job. Mighty hard diggin'! The idea of "responded properly", it seems to me, would be module specific... appropriate responses would depend on the policy in force. What I CAN do that might be generally useful is design a module that has an API that an application which exercises the "desirable" functions of the kernel can use to capture the results. Such an API would be called before an exercise to register a "key", then the application would make calls to a specific syscall, and the responses would be recorded and keyed on the "registered" object. After the exercise, the app would read the results and process them however is important to the module under test. The module under test would be subordinated to the test module. I might also be able to build a "tester application" that is somewhat generally useful, even with a simple scripting language to "tune" it, but, again, the specific results must be evaluated against the policy/module in force. I may be too feeble-minded to see a totally general solution, but I don't think "proper response" is something that can be defined at this (or maybe any) point. Would this be useful? If I get several replies in the affirmative, I'll put it on the agenda. It would be useful to our project, as well, I think. Otherwise, I request modifications to my basic plan be discussed so we can synthesize a better response, or arguments why it's not feasible at all. Testing LSMEXAMPLE v0.4 against lsm-2001_06_20... now, will be online tonight. Sincerely, J. Melvin Jones |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 13:42:37 PDT