Re: Possible system call interface for LSM

From: jmjonesat_private
Date: Fri Aug 10 2001 - 16:25:36 PDT

  • Next message: Greg KH: "Re: Possible system call interface for LSM"

    On Fri, 10 Aug 2001, Greg KH wrote:
    
    > On Fri, Aug 10, 2001 at 02:43:14PM -0700, richard offer wrote:
    
    > > Using a simple array of longs turns the system call into a private
    > > protocol, there should be someway to confirm that both ends are indeed
    > > talking the same private protocol.
    > 
    > Hence the argument "call".  That defines the structure of the array of
    > longs.  How many different "identifiers" do you need before you
    > understand what the syscall wants to do?
    
    Being (obviously) the slowest thinker here, I'm trying to figure out why
    there's a difference of position on this.  Forgive me if I state the
    obvious. 
    
    Actually, since you've got a pointer to an array of longs, that pointer
    can be cast to anything.  If a "magic key" gives some assurance,
    just make it the first long (or the first 8, depending on how much magic
    you need (or 8 additional after the end, if you want to mimic some
    "non-safe" interface.)) This would seem pretty equivalent to me to an
    additional formal parameter that, basicly, does the same thing.
    
    That solves the module side problem of rejecting requests from
    applications that don't weave that ol' magic.
    
    The only "vulnerability" I can imagine is a module that just takes the
    arguments at face value and blows a cork.  If you have a publicly
    published (via a central registry) key, or one that resides in a ton of
    applications, that simply makes it easier for an evil-application to pick
    the lock.  If you use a private key, and then assume anybody with that key
    is trustworthy,  you're (maybe) a little safer, except from innocent
    errors or corrupted applications (which would already have the key), and,
    truely-evil applications, so, therefore, you still need to check
    everything carefully.
    
    The benefits to stacking from a "PASS" key or passing the id through can
    easily be duplicated without any such thing, it doesn't HAVE to be done in
    a separate argument, for those reasons.  
    
    I agree there's a need for the application to verify the module is correct
    and then fail gracefully... this goes all the way back to our discussions
    months ago about providing userspace with information about the module's 
    abilities (in the coarsest possible way), but I don't see how it HAS to be
    in the syscall argument list...
    
    > 
    > greg k-h
    > 
    
    Can Somebody Enlighten Me?
    J. Melvin Jones
    
    P.S. -- Yes, yes, I find myself agreeing with Greg.  Who'd ever have thunk
    it?
    
     
    
    |>------------------------------------------------------
    ||  J. MELVIN JONES            jmjonesat_private 
    |>------------------------------------------------------
    ||  Microcomputer Systems Consultant  
    ||  Software Developer
    ||  Web Site Design, Hosting, and Administration
    ||  Network and Systems Administration
    |>------------------------------------------------------
    ||  http://www.jmjones.com/
    |>------------------------------------------------------
    
    
    
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 16:27:26 PDT