Re: Possible system call interface for LSM

From: Crispin Cowan (crispinat_private)
Date: Thu Aug 09 2001 - 21:39:38 PDT

  • Next message: Greg KH: "Re: Possible system call interface for LSM" 

    David Wagner wrote:

> Yes, you're absolutely right.  Would the folks who want syscalls
> be willing to post what functionality they expect to require, so
> we can get some idea of which solutions will and won't work?

Here's the man page for change_hat() which is what SubDomain wants.

Crispin
  ------------------------------------------------------------------------

CHANGE_HAT(2)                                       CHANGE_HAT(2)

NAME
       change_hat  -  change  to  or  from  a  subdomain within a
       codomain profile

SYNOPSIS
       #include <unistd.h>

       int change_hat (char *subdomain, u32 magic_token);

DESCRIPTION
       A profile applying to a fixed executable program is called
       a  "codomain"  (a  pun on "code" and "domain"), where as a
       profile applying only to a portion of the execution behav­
       ior  of  a  program is called a "subdomain".  If a program
       wants to change its  currently  running  codomain  profile
       into a subdomain profile, it calls the change_hat function
       to do so. It passes in a pointer to the subdomain which it
       wants  to  change  into,  and  a  32bit  magic_token.  The
       magic_token is used to return out of the  subdomain  at  a
       later time.

       If  a program wants to return out of the current subdomain
       to the original  codomain,  it  calls  change_hat  with  a
       pointer  to  NULL  as  the  subdomain  ,  and the original
       magic_token value. If the magic_token does not  match  the
       original  magic_token passed into the kernel when the pro­
       gram entered the subdomain, the change back to the  origi­
       nal codomain will not happen, and the current task will be
       killed.  If the magic_token matches  the  original  token,
       then  the  profile  will  be  changed back to the original
       codomain.

RETURN VALUE
       On success zero is returned. On error, -1 is returned, and
       errno is set appropriately.

ERRORS
       ENOMEM Insufficient kernel memory was available.

       EACCES The  magic_token  passed  in  was 0, which is not a
              valid value for the magic_token , or the  specified
              subdomain  does not exist in this codomain profile.

       EFAULT An internal error occured.

EXAMPLE
              void foo (void)
              {
                      int magic_token;

                      /* get a random magic token value from our huge entropy
pool */
                      magic_token = random_function();

                      /* change into the subdomain while we do stuff we don't
trust */
                      sys_change_hat ("stuff_we_dont_trust", magic_token);

                      /* Go do stuff we don't trust -- this is all done in
*this*
                       * process space, no separate fork()/exec()'s are done. */

                      interpret_perl_stuff(stuff_from_user);

                      /* now change back to our original codomain *//
                      sys_change_hat (NULL, magic_token);
              }

CONFORMING TO
       Nothing :) This is an Immunix addition to the  Linux  ker­
       nel.

BUGS
       None known.

SEE ALSO
       subdomain.conf(5) subdomain_parser(8)

                           13 Sep 2000                          1

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

    This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 21:40:54 PDT