RE: syscall convention

• Previous message: James Morris: "Re: Capability tests in netlink and oom_kill"
• Maybe in reply to: David Wheeler: "syscall convention"
• Next in thread: richard offer: "RE: syscall convention"
• Reply: richard offer: "RE: syscall convention"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: David Wheeler [mailto:dwheelerat_private]
> Could we include documentation on this parameter somewhere
> (at least in a comment)?  Here's some starter documentation:
> 
>   The "modid" parameter identifies the security module, to 
> support safety
>  checking and "stacking" of multiple modules.  Not all security
>  modules care about the modid parameter value or follow the usual
>  conventions; see the security module's
>  documentation for more information.  By convention, the modid value
>  usually has the first 32 bits of the module name's MD5 hash, 
> computed as:
>    echo -n 'MODULE_NAME' | md5sum | head --bytes=8; echo
>  Thus, the "world-domination" security module's modid is 
> usually 0x95189e78.
>  This approach eliminates the need for a central registry, 
> supports safety
>  and stacking, and retains the speed of a system call.
> 
> I've no doubt that the people on this list will comment about 
> this text :-).

I took the bait.  Realizing it's only a convention, I think it may be better
to use fewer bytes than 8 and leave some room for versioning of the
modules for when semantic changes are made to the interface.

I would prefer that the convention leave 4 or 8 bits at the end of the word
for versioning.  Something along the lines of:
echo -n 'MODULE_NAME' | md5sum | head --bytes=6; echo -n $MOD_VERS ; echo

The alternative to this when changing the interface semantics for the module
is to change the module name itself in the above line, generating an
entirely new MD5 number.

As a point of clarification, when I use the term "versioning" in the context
of interface semantic changes, I don't mean increment the version number on
each rev of the module.  I intend it to mean to increment the version number
used here only when there are radical changes to the underlying module.
It's up to each module designer to determine when to, if at all, increment
the version number.

Again, this is only a convention, so no one has to adopt these methods, but
I think the versioning idea is a good thing to include in the convention
itself.

--steve kramer

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Stephen Smalley: "Re: Capability tests in netlink and oom_kill"
• Previous message: James Morris: "Re: Capability tests in netlink and oom_kill"
• Maybe in reply to: David Wheeler: "syscall convention"
• Next in thread: richard offer: "RE: syscall convention"
• Reply: richard offer: "RE: syscall convention"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 04:43:57 PDT