On Fri, 10 Aug 2001, Lachlan McIlroy wrote: > If the module forgets to do this check then there could be > problems. The application performing the system call and > the module must agree on a format for the arguments in order > to pass them through this generic system call. It makes > sense to me that an application using policy A should not > even begin execute the system call belonging to a module > using policy B. Do you have a need to do otherwise? Well, generally speaking, if the module is poorly designed and forgets to do checks there will be problems, anyway. By stopping the syscall before the hook a stacking module doesn't get the ID, and therefore it's the stacking module's id, not the ID of any subordinately registered module that holds sway. If the ID is passed to the module (which I suggested yesterday with a "PASS" value to stop the in-kernel block), the identification/format-matching can be handled there, and a stacking module might even multiplex several subordinate modules based on this information. The simplest solution is just to pass the ID as an argument in the hook. > > --- > Lachlan McIlroy Phone: +61 3 9596 4155 > Trusted Linux Fax: +61 3 9596 2960 > Adacel Technologies Ltd www.adacel.com > > J. Melvin Jones |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 08:31:41 PDT