jmjonesat_private wrote: > Bing-Bang-Boom. Create /proc/lsm-modules/ , put sgi-whatever in it. > (Never tried to put anything anywhere but /proc/, but I'd guess it's > possible, if not, just put it in /proc) Have your application check if it > exists. Have your application pass the whatever it reads from that file to > the module as the first long in the syscall list. > > Applications read once. No significant cost from that. > > You can even generate the "whatever" based on PID, GID, and other factors > known to both the module and the process by this method. > > Use 24 bits to make sure it's you and 8 to hold option flags. > > It's only a few lines of code, not a "huge bogus thang." > > Not being facetious... but why won't that provide the same or even better > function? What if my policy doesn't allow the application to read /proc? No, seriously. It is quite reasonable to provide a policy which restricts what filesystems an application may access, even (especially?) those which require privilege to do their jobs. The /proc mechanism requires that I have access to /proc. The syscall mechanism requires that I have access to syscalls. I don't know of any policy which might restrict access to all syscalls. This is fun. I wish I could be at USENIX. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 888.220.0607 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 10:00:33 PDT