James Morris wrote: > Hi Folks, > > Attached below is a tentative patch to add hooks for network devices, > based upon the currently released selinux code. > > The new hooks are: > > alloc_security() We can always allocate the security context the first time we control access to the device, so this call isn't absolutely necessary, but see below: > free_security() In order to prevent memory leaks, this call is needed because the LSM doesn't know when a device is disconnected unless it is told by a hook somewhere. We can't rely on an ioctl() call to change a device state before being deconfigured. So for symmetry, alloc_security() and free_security() are both desirable. > ioctl() > For SELinux-LSM, we can perform the ioctl checks on net devices in the sys_ioctl hook. However, this requires a copy from user space in order to retrieve the net device name. If that copy within a LSM isn't an issue, this ioctl() call can be removed. -- Wayne Salamon wsalamonat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 06:26:29 PDT