RE: File descriptors: LSM should support them in phase 1.

• Previous message: Serge E. Hallyn: "Re: Problems with some of the current hooks"
• In reply to: richard offer: "Re: File descriptors: LSM should support them in phase 1."
• Next in thread: Matt Block: "RE: File descriptors: LSM should support them in phase 1."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Is anyone from GR Security on the list?  GRSEC has ported Solar's work
to 2.4, and may be able to offer some code.

  -- Matt

-----Original Message-----
From: linux-security-module-adminat_private
[mailto:linux-security-module-adminat_private] On Behalf Of richard
offer
Sent: Friday, August 03, 2001 8:33 PM
To: linux-security-moduleat_private
Subject: Re: File descriptors: LSM should support them in phase 1.




* frm crispinat_private "07/24/01 16:18:57 -0700" | sed '1,$s/^/* /'
* 
* 
* Seth said (paraphrasing) "to support Solar Designer stdin/out/error
* special handling hack."  These appear to be substantially the same
issue.
* 
* Main obstacle:  Solar is not on this list.  In private mail, Solar
said
* that he likes the project, but that he doesn't have time for another
* mailing list.
* 
* So how about someone who is motivated to get fd's into the LSM patch
* (either SGI or someone else) port some subset of the Solar Designer
patch
* to the LSM+fd parms.  We will then have a very well motivated example
in
* hand should anyone in linux kernel space question this decision.

I've spent the last week trying to do this (Casey doesn't know exactly
how much time I wasted on this instead of what I should have been doing
so lets not tell him).

I'm out of time and am giving up (for the time being)

    1) The solar designer port is for 2.2

    2) It works by intercepting the fds at exec time, so passing fd to
(for
example) the read hook isn't going to help using their existing
implementation.

    3) Adding a open()/close() (or possibly post_*) hook to check for
the special fds is right out as that isn't going to get past Greg :-)

If anyone has any suggested alternative implementations I'll try to fit
in some more work on it.

I'm guessing that about kills any chance of getting the fd parameters
into phase I :-( 

Of course that wont stop us trying :-)

* Crispin

richard.

-----------------------------------------------------------------------
Richard Offer                     Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________


_______________________________________________
linux-security-module mailing list linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Matt Block: "RE: File descriptors: LSM should support them in phase 1."
• Previous message: Serge E. Hallyn: "Re: Problems with some of the current hooks"
• In reply to: richard offer: "Re: File descriptors: LSM should support them in phase 1."
• Next in thread: Matt Block: "RE: File descriptors: LSM should support them in phase 1."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 10:02:41 PDT