Re: Possible system call interface for LSM

From: Greg KH (gregat_private)
Date: Fri Aug 10 2001 - 12:30:46 PDT

  • Next message: Greg KH: "Re: Possible system call interface for LSM"

    On Fri, Aug 10, 2001 at 02:57:47PM -0400, Stephen Smalley wrote:
    > 
    > I'm not worried about stacking modules (currently).  I just want my
    > modified applications to be able to test for the presence of the SELinux
    > module and to fall back on ordinary Unix behavior if it is not present.
    > In the original SELinux prototype, they just tried one of the new 
    > syscalls (the one that just returns the current process SID) and
    > checked for ENOSYS.  With LSM, the syscall is always present but
    > SELinux might not be, so I want a magic number/module id that I can use.
    > Naturally, I also need the dummy syscall function to always return
    > something like -ENOPKG.
    
    I'd recommend having the applications test for something else, instead
    of a syscall (that's a huge abuse of a syscall if I've ever seen one :)
    
    Like if selinuxfs is mounted, or a specific /proc entry is present or
    just looking at the current /proc/modules.  Let's not try to invent a
    new way of determining if a module is loaded or not when there already
    are ways of doing so.
    
    thanks,
    
    greg k-h
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 12:32:31 PDT