On Fri, 10 Aug 2001, richard offer wrote: > > > * frm gregat_private "08/10/01 16:33:24 -0700" | sed '1,$s/^/* /' > * > * > * Ah, but Stephans program should first validate that the kernel is > * running SELinux by some other method than the syscall (I've detailed > * that in a previous message). And so should yours. So there will be no > * conflicts if you validate that your module is loaded before calling the > * syscall. > > I could have no way to determine if my policy is loaded. Seriously, I > don't. Audit is invisible, so is MAC. > > I'm not going to go and create a pseudo file system just to let > applications know that my policy is loaded. That's bogus. You'd rather > increase the kernel size than pass one extra parameter? Bing-Bang-Boom. Create /proc/lsm-modules/ , put sgi-whatever in it. (Never tried to put anything anywhere but /proc/, but I'd guess it's possible, if not, just put it in /proc) Have your application check if it exists. Have your application pass the whatever it reads from that file to the module as the first long in the syscall list. Applications read once. No significant cost from that. You can even generate the "whatever" based on PID, GID, and other factors known to both the module and the process by this method. Use 24 bits to make sure it's you and 8 to hold option flags. It's only a few lines of code, not a "huge bogus thang." Not being facetious... but why won't that provide the same or even better function? Or, (not speaking for anybody but me), make the -1 value of the call parameter check a module ID, and prohibit (by documentation) it being used by any of us for any other reason. call == -1 arg[0]== identifier Trust the module, inform the application. 1 in 4 billion CALL values isn't likely to hurt anybody, and modules that don't implement it won't respond to it (I'd hope), and it doesn't create a new syscall pattern that needs to be generated and sold... or just look "different" (codoxenophobia) This violates the "module composition/functionality" inhibition here, but it's trivial. > > * > * greg k-h > * > > richard. > > ----------------------------------------------------------------------- > Richard Offer Technical Lead, Trust Technology, SGI > "Specialization is for insects" > _______________________________________________________________________ > Am I Wrong? J. Melvin Jones |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 17:39:58 PDT