Re: question about bprm_ops->alloc_security(&bprm)

From: Huagang Xie (xieat_private)
Date: Tue Feb 12 2002 - 15:02:51 PST

  • Next message: Stephen Smalley: "Re: question about bprm_ops->alloc_security(&bprm)"

    Hi,
    
    Thanks for your response. I will sumbmit a patch for that..But when I
    try to see if I can get the env string from the bprm->page? I found that
    it is complicate for me to decode that envp from brpm->page.. I wonder if
    we can use a straight-forward one -- just 
    
    	bprm_ops->check_envp(envp)
    
    ,in the check_envp, we can do the get_user(env,envp) to get the data from
    user space and check it. I know if it is not consistence with currenct
    implementation..but it is an easy way for me to do.
    
    And other question for readdir..LIDS has a feature to hide a file/dir, 
    the way to do it is when fill kernel get the dir entry, it call 
    filldir() in fs/readdir.c to generate a file-list. LIDS hook in this
    function and do a check there..I wonder if LSM can also provide a hook in
    this function or other function that can archie the same result.
    
    Thanks for all your support, LIDS can running very well on LSM, except the
    "LD_" checking which is very criticle for LIDS, and this hidden file/dir. 
    
    Thanks,
    Huagang
    
    
    
     On Fri, 8 Feb 2002, Stephen Smalley wrote:
    
    > 
    > On Wed, 6 Feb 2002, Huagang Xie wrote:
    > 
    > > here is a patch for this hooks..I just add it in fs/exec.c, does this
    > > sound good ?
    > 
    > In general, it would help if you submitted a complete patch, i.e. one that
    > updates 'include/linux/security.h' and the example security modules under
    > the 'security' directory.  At a minimum, you should include trivial hook
    > functions for the dummy and capability modules (they can just return 0),
    > and it would be nice to do so for all of the example modules.
    > 
    > Also, as several people have suggested, you should rename the hook to
    > something more appropriate.  Even check_bprm would be better than
    > post_alloc_security.
    > 
    > I agree that a new hook is reasonable here - moving the set_security hook
    > or the prepare_binprm call seems like a worse option.
    > 
    > --
    > Stephen D. Smalley, NAI Labs
    > ssmalleyat_private
    > 
    > 
    > 
    > 
    > _______________________________________________
    > linux-security-module mailing list
    > linux-security-moduleat_private
    > http://mail.wirex.com/mailman/listinfo/linux-security-module
    > 
    
    -- 
    LIDS secure linux kernel
    http://www.lids.org/
    1024D/B6EFB028 		4731 2BF7 7735 4DBD 3771  4E24 B53B B60A B6EF B028
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 14:59:31 PST