Chris Wright wrote:
>the bdflush hook can be getting a userspace pointer ('long data' is
>a pointer for some values of 'int func'). it seems like we should
>at least note this, since we prefer giving the module kernel space
>pointers.
Good catch. This is dangerous, and in my opinion probably deserves more
than just a comment. In particular, in cases where it represents a
userspace pointer, it must be ignored, or else the module will almost
surely inherit a security hole. (Heaven save us from ioctl-like
interfaces, where the usage of parameters is inconsistent.)
In fact, is there any reason to pass the 'data' value to the hook at
all? Passing it seems like a temptation to shoot oneself in the foot.
Does anyone actually need this value to enforce policy? If someone
does need it, I think some cleanup of sys_bdflush() may be in order.
If noone needs it, the benefit of omitting it from the hook is that it
will force us to handle things correctly if someone eventually decides
they need access to this parameter. What do you think of this proposal?
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 19:45:32 PDT