Re: Possible system call interface for LSM

From: Stephen Smalley (sdsat_private)
Date: Thu Aug 09 2001 - 05:49:29 PDT

  • Next message: Stephen Smalley: "Re: Possible system call interface for LSM"

    On Thu, 9 Aug 2001, Lachlan McIlroy wrote:
    
    > There was some minor discussion recently about modules
    > needing to modify the system call table to create module
    > specific system calls.  It prompted me to investigate a
    > fixed system call for LSM that will multiplex the variety
    > of system calls required for each different security
    > scheme.  I've attached a patch of the proposed idea for
    > people to comment on.
    
    For the SELinux module, I multiplexed our new operations through
    an interface based on the existing Linux socketcall interface for
    multiplexing socket operations - See net/socket.c:sys_socketcall.
    I added a magic number parameter similar to your module id.
    In that form, the entrypoint function only copies in the args 
    array, leaving the copyin/copyout of particular pointer args to the
    individual operations.
    
    While I understand the appeal of doing all of the copyin/copyout
    from the entrypoint function, it seems unnecessarily limiting.
    Also, even if we were to take your approach, shouldn't the length
    parameter be in/out (unsigned long *length) so that the output
    data can have a different length than the input data?
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 05:51:41 PDT