Re: Possible system call interface for LSM

• Previous message: James Morris: "Re: [patch] Socket Receive Hook"
• In reply to: Stephen Smalley: "Re: Possible system call interface for LSM"
• Next in thread: Seth Arnold: "Re: Possible system call interface for LSM"
• Reply: Seth Arnold: "Re: Possible system call interface for LSM"
• Reply: richard offer: "Re: Possible system call interface for LSM"
• Reply: Crispin Cowan: "Re: Possible system call interface for LSM"
• Reply: Stephen Smalley: "Re: Possible system call interface for LSM"
• Reply: Lachlan McIlroy: "RE: Possible system call interface for LSM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* frm sdsat_private "08/09/01 09:11:32 -0400" | sed '1,$s/^/* /'
*
* 
* On Thu, 9 Aug 2001, Stephen Smalley wrote:
* 
*> While I understand the appeal of doing all of the copyin/copyout
*> from the entrypoint function, it seems unnecessarily limiting.
* 
* To be more specific, this would be very problematic for some of our
* new operations, which are merely extended forms of existing system 
* calls (e.g. extended forms of stat, mkdir, execve, ... that have
* additional input or output parameters for security attributes).
* These operations actually invoke the ordinary system calls 
* (in between some pre and post processing to handle the additional
* parameters), so they don't want to have to do the copyin/copyout
* as a block on entry and exit.

In light of that case does it make sense to change the prototype from 

    int  (* syscall)        (int cmd, char *data, int length);

to
    int  (* syscall)        (int cmd, int copy_flag, void *data, int
*length);


I personally would rather have length pass by value than reference.


with copy_flag either DATA_IS_USER_SPACE or DATA_IS_KERNEL_SPACE ? (ToDo:
make up better names)


It seems that the general case would be to copy data (so removing the code
seems like a bad idea), SELinux has specific requirements where that would
cause a significant problem, so lets let them not have to copy when they
don't want too.

The only problem I have about having security.h maintaining the list of
policy ID numbers is that that is going to have to change everytime someone
writes a new policy. 

And we're going to get into the issue of "we're not going to accept your
policy in phase 1" even if all that's required is an ID number.

Perhaps it should be vendor rather than policy specific ? It forces the
vendor of the policy to be self consistant withing their organisation in
terms of cmd codes and would require less changes to security.h before and
after the code is mainlined ?

* 
* --
* Stephen D. Smalley, NAI Labs
* ssmalleyat_private
* 

richard.


-----------------------------------------------------------------------
Richard Offer                     Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Seth Arnold: "Re: Possible system call interface for LSM"
• Previous message: James Morris: "Re: [patch] Socket Receive Hook"
• In reply to: Stephen Smalley: "Re: Possible system call interface for LSM"
• Next in thread: Seth Arnold: "Re: Possible system call interface for LSM"
• Reply: Seth Arnold: "Re: Possible system call interface for LSM"
• Reply: richard offer: "Re: Possible system call interface for LSM"
• Reply: Crispin Cowan: "Re: Possible system call interface for LSM"
• Reply: Stephen Smalley: "Re: Possible system call interface for LSM"
• Reply: Lachlan McIlroy: "RE: Possible system call interface for LSM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 08:51:37 PDT