On Mon, 4 Feb 2002, Antony Edwards wrote: > At the moment there is no permission check in filemap_nopage (reading in a > page from an > mmaped file). This makes the permission check in sys_read / sys_write a > little pointless > as the user can always avoid this check by mmaping the file. The mmap and mprotect calls are already hooked, so you can check the protection values during those calls. If you are worried about revoking access after the mmap/mprotect call, then simply hooking filemap_nopage doesn't solve the problem, since you would still need a mechanism for revoking pages that have already been mapped. So it isn't clear that hooking filemap_nopage is worthwhile (although we did insert a check into it in the original SELinux kernel patch). -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Feb 05 2002 - 05:36:26 PST