On Thu, 9 Aug 2001, Lachlan McIlroy wrote: > There was some minor discussion recently about modules > needing to modify the system call table to create module > specific system calls. It prompted me to investigate a > fixed system call for LSM that will multiplex the variety > of system calls required for each different security > scheme. I've attached a patch of the proposed idea for > people to comment on. For the SELinux module, I multiplexed our new operations through an interface based on the existing Linux socketcall interface for multiplexing socket operations - See net/socket.c:sys_socketcall. I added a magic number parameter similar to your module id. In that form, the entrypoint function only copies in the args array, leaving the copyin/copyout of particular pointer args to the individual operations. While I understand the appeal of doing all of the copyin/copyout from the entrypoint function, it seems unnecessarily limiting. Also, even if we were to take your approach, shouldn't the length parameter be in/out (unsigned long *length) so that the output data can have a different length than the input data? -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 05:51:41 PDT