Re: [PATCH] permission hook in filemap_nopage

• Previous message: Greg KH: "Re: [PATCH] extended attribute support"
• In reply to: Chris Wright: "Re: [PATCH] permission hook in filemap_nopage"
• Next in thread: Stephen Smalley: "Re: [PATCH] permission hook in filemap_nopage"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 04 Feb 2002 20:09:20 PST, Chris Wright said:
> ah, i see, good question.  i can't think of any from the top of my
> head.  not all hooks are in a syscall path, some will be called from an
> interrupt context, e.g. ip layer hooks, or send_sigiotask.  but it's not
> necessarily a recipe for async notification to user app.  it is possible

Yes, but if it *is* a recipe for async notification, we need to have a
handle on how/what happens...

> that a security policy violation could result in sending the app SIGKILL.

How rude. ;)

Actually, having a *documented* "you can SEGV if your mmap() is revoked"
would be tolerable.  It's the fun&games of trying to *debug* an application
crash that's getting a "cant happen" SEGV (and of trying to write a signal
handler that will Do The Right Thing).

> it's also possible that an app is waiting for SIGIO, but it never arrives.
> but neither of these really fall into the category you're asking about.
> food for thought ;-)

Exactly - Linux has never been incredibly strong at asynchronous event
handling (I'm meaning "strong" the way IBM's mainframe systems are "strong"
at it - WAIT/POST and async I/O were a solved problem in the early 60s
and they've gotten better at it since).

One headache is that the Linux signal mechanism seems to be stuck with
32 non-realtime signals, and they're all taken, so there isn't even
the option of defining a new SIGREVOKE or something, and doing things
that way.  As a counter-example, AIX allows a lot more signals, so they
can afford stuff like SIGDANGER to a process so it can try to free up
memory (a lot nicer than the "kill -9 a likely process" route if you run
out of swap), or a SIGXCPU if you've exceeded a CPU usage limit, etc etc.
They've even got this gem:

 #define SIGPRE   36 /* programming exception */

(There's also a 'SIGSAK' telling you the Secure Attention Key has been hit,
but that's neither here nor there - or is it? ;)

How much properly-written code would break if the value of _NSIG in
bits/signum.h chagned from 64 to 96 or 128? ;)

(Yes, I know the Powers That Be would probably have a *cow* at the idea,
but the 2.5 kernel would be the time to get ourselves a SIGREVOKE and SIGSAK,
wouldn't it? ;)

/Valdis
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Stephen Smalley: "Re: [PATCH] permission hook in filemap_nopage"
• Previous message: Greg KH: "Re: [PATCH] extended attribute support"
• In reply to: Chris Wright: "Re: [PATCH] permission hook in filemap_nopage"
• Next in thread: Stephen Smalley: "Re: [PATCH] permission hook in filemap_nopage"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 21:25:49 PST