* frm gregat_private "08/10/01 15:10:00 -0700" | sed '1,$s/^/* /' * * On Fri, Aug 10, 2001 at 02:43:14PM -0700, richard offer wrote: *> *> Its not only the application, but the module too, if I know that I'm *> being called from an application that is my policy aware, I can be less *> conservative about checking the values of the parameters since those *> would have been generated correctly by my policy specific application *> library layer. * * Think about what you just said. Basically, "A simple value is all I * need to validate that I a really running my trusted application so I * will not do the normal kernel checks just for it, that I would do for * any other program." I'm aware of what I said, I just wanted to see if you were paying attention :-) * * Remind me never to run your kernel modules on my machines :) You're not going to anyway, they all use audit... ;-| * *> Using a simple array of longs turns the system call into a private *> protocol, there should be someway to confirm that both ends are indeed *> talking the same private protocol. * * Hence the argument "call". That defines the structure of the array of * longs. How many different "identifiers" do you need before you * understand what the syscall wants to do? "call" does not define the data structure. It defines the version of the private protocol you're using, it says nothing about other peoples protocols. Hands up who's using 1,2,3,4 for their "call" values ? If Stephen and I both use a cmd value of 1, but a different number of params, there's going to be issues. My application will pass two values to the system call, Stephens policy will read that okay but not be able to do anything with as the number is wrong (it was the bottom half of a long long variable), he will probably return -EINVAL. Or if his policy was assuming that they would be kernel pointers then he wont have done any user->kernel conversion and .... Stephens application will only pass a single long to the system call, my policy will try and read two and return EFAULT. The application is login (PAM) and it was coded to check for -ENOSYS on its extended security handling. Since EINVAL and EFAULT are "normal" normal errors that mean "re-try", it will just proceed merrily on and lock you out. If everyone picks a unique cmd, there are no problems, that's not going to happen. There are going to be conflicts (and with one value of "call" required for each system call, its going to happen quickly), lets manage that now rather than later. * * greg k-h * richard. ----------------------------------------------------------------------- Richard Offer Technical Lead, Trust Technology, SGI "Specialization is for insects" _______________________________________________________________________ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 16:22:30 PDT