* Huagang Xie (xieat_private) wrote: > > What I want is to check the "envp" ( the envp passed to the > sys_execve()).. current hook in do_execve() do not give me this envp, > the first one alloc_security(&bprm) is too early that the bprm do not > get envp from the copy_string yet..so I ask for another hook..but I found > that the free_security(&bprm) can get me the envp in bprm structure, but > it do not let me return an error from it. The best way for me is add a new > hook after copy_string the envp.. > > does this make it clear? yes, thank you. the problem with making free_security(&bprm) return an error code is that it's too late. you've already wiped clean the old program and replaced it with the new one. i see two solutions to adding a new hook. 1) rearrange kernel code path slightly, such that prepare_binprm(&bprm) happens after the copy_strings. penalty is some basic simple sanity checking which could error out must wait until after a more costly copy_from_user. 2) move the set_security hook out of prepare_binprm and locate it after the copy_strings calls. penalty same as above, plus any problems introduced by this move (i don't see any in dummy.c, capability.c and owlsm.c). i prefer the second choice here. what do others think? thanks, -chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 20:09:35 PST