Re: Possible system call interface for LSM

From: jmjonesat_private
Date: Sun Aug 12 2001 - 17:07:34 PDT

  • Next message: Greg KH: "Re: Possible system call interface for LSM"

    On Sat, 11 Aug 2001, Greg KH wrote:
    
    > 
    > Actually, if the SELinux kernel module allows that to happen by _any_
    > random user app, then the kernel module has a bug :)
    > 
    
    From out-of-band...
    
    Can't a security module block it's own removal using the delete_module 
    hook?  If not, wouldn't it solve this problem completely to make sure a
    security module CAN NOT be removed without the module's permission?
    
    If two modules need to be primary, failing to remove one prevents the
    "silent (unknown by application)" change quite effectively.
    
    Wait, the module already knows it's being removed... can't it reap any
    applications in a sleeping/wait state?
    
    Additionally, is it likely that admins are going to "swap modules"
    midstream without a reboot?  I don't think it's going to happen in
    1/1000000 cases.
    
    When *I* change a module, I reboot cycle... just to be *sure* the kernel
    is in a known state.  (Paranoia on the other side.)
    
    Confused,
    J. Melvin Jones
    
    P.S. -- You know... refusing to exit is a function that modules can't
    perform in Linux.  If we haven't already caught this, we probably should,
    so a security module can say "no way!"
    
    |>------------------------------------------------------
    ||  J. MELVIN JONES            jmjonesat_private 
    |>------------------------------------------------------
    ||  Microcomputer Systems Consultant  
    ||  Software Developer
    ||  Web Site Design, Hosting, and Administration
    ||  Network and Systems Administration
    |>------------------------------------------------------
    ||  http://www.jmjones.com/
    |>------------------------------------------------------
    
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 17:09:47 PDT