On Fri, 10 Aug 2001, Greg KH wrote: > On Fri, Aug 10, 2001 at 02:43:14PM -0700, richard offer wrote: > > Using a simple array of longs turns the system call into a private > > protocol, there should be someway to confirm that both ends are indeed > > talking the same private protocol. > > Hence the argument "call". That defines the structure of the array of > longs. How many different "identifiers" do you need before you > understand what the syscall wants to do? Being (obviously) the slowest thinker here, I'm trying to figure out why there's a difference of position on this. Forgive me if I state the obvious. Actually, since you've got a pointer to an array of longs, that pointer can be cast to anything. If a "magic key" gives some assurance, just make it the first long (or the first 8, depending on how much magic you need (or 8 additional after the end, if you want to mimic some "non-safe" interface.)) This would seem pretty equivalent to me to an additional formal parameter that, basicly, does the same thing. That solves the module side problem of rejecting requests from applications that don't weave that ol' magic. The only "vulnerability" I can imagine is a module that just takes the arguments at face value and blows a cork. If you have a publicly published (via a central registry) key, or one that resides in a ton of applications, that simply makes it easier for an evil-application to pick the lock. If you use a private key, and then assume anybody with that key is trustworthy, you're (maybe) a little safer, except from innocent errors or corrupted applications (which would already have the key), and, truely-evil applications, so, therefore, you still need to check everything carefully. The benefits to stacking from a "PASS" key or passing the id through can easily be duplicated without any such thing, it doesn't HAVE to be done in a separate argument, for those reasons. I agree there's a need for the application to verify the module is correct and then fail gracefully... this goes all the way back to our discussions months ago about providing userspace with information about the module's abilities (in the coarsest possible way), but I don't see how it HAS to be in the syscall argument list... > > greg k-h > Can Somebody Enlighten Me? J. Melvin Jones P.S. -- Yes, yes, I find myself agreeing with Greg. Who'd ever have thunk it? |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 16:27:26 PDT