Re: Common header for security blobs

• Previous message: Greg KH: "Re: quotactl hook"
• In reply to: Stephen Smalley: "Re: Common header for security blobs"
• Next in thread: Crispin Cowan: "Re: Common header for security blobs"
• Next in thread: Chris Wright: "Re: Common header for security blobs"
• Reply: Crispin Cowan: "Re: Common header for security blobs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 6 Sep 2001, Stephen Smalley wrote:

> 
> On Thu, 6 Sep 2001, Chris Wright wrote:
> 
> > something needs to coallate the modules' decisions and generate an
> > aggreagrate result.
> 
> This is true, but the lack of a common header makes a lot more work for
> the multiplexor module.  As I said earlier, without a common header,
> the multiplexor module must save the original security field on entry to
> the hook, and then set the field to point to each module's object before
> calling each module's hook.  Same thing in reverse on allocation of the 
> objects.  The problem is that the modules directly dereference the kernel
> object's security field to set and access it, so they are all looking in
> the same place.
> 
> If we have a common header, then each module can simply be written to
> search the list in the header for its own object, identified by the module
> id.  Likewise, each module can be written to insert a new blob into the
> list when alloc_security is called.  This simplifies the multiplexor
> module to merely calling the submodules in sequence on the kernel objects,
> without needing to tweak the security field at all. 

In for a (pint), in for a pound... since we stuck an integer in the system
call that identifies the module, sticking it here is not a great big deal.
I'd think the "idea" that jumped the hoop was that modules need to be
identified... making the "blob"

typedef struct {
  unsigned int modid;
  void *data;
}
LSM_BLOB;

or something along those lines seems consistant.

On the other hand, I tend to agree with Greg... this is a module issue,
stackable-family or not.  However, since "modid" is already there, I think
it hurts little to be consistant and pass that idea around.

> 
> --
> Stephen D. Smalley, NAI Labs
> ssmalleyat_private
> 

J. Melvin Jones

|>------------------------------------------------------
||  J. MELVIN JONES            jmjonesat_private 
|>------------------------------------------------------
||  Microcomputer Systems Consultant  
||  Software Developer
||  Web Site Design, Hosting, and Administration
||  Network and Systems Administration
|>------------------------------------------------------
||  http://www.jmjones.com/
|>------------------------------------------------------




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Stephen Smalley: "Re: Common header for security blobs"
• Previous message: Greg KH: "Re: quotactl hook"
• In reply to: Stephen Smalley: "Re: Common header for security blobs"
• Next in thread: Crispin Cowan: "Re: Common header for security blobs"
• Next in thread: Chris Wright: "Re: Common header for security blobs"
• Reply: Crispin Cowan: "Re: Common header for security blobs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 13:45:33 PDT