Re: Maintaining LSM modules

From: Chris Wright (chrisat_private)
Date: Mon Apr 15 2002 - 10:19:32 PDT

  • Next message: Crispin Cowan: "Re: Maintaining LSM modules"

    * Lachlan McIlroy (lachlanat_private) wrote:
    > 
    > A recent post by Richard Offer sparked some thoughts about the problems 
    > of maintaining modules that use the LSM framework.
    > 
    > The current method of sanitizing a module during load only checks that 
    > there are no NULL pointers in the security operations structure.  What 
    > about old modules that have a smaller security operations structure 
    > which is immediately followed by non-NULL data?
    
    [snipped nice list of possible solutions]
    
    Indeed, the verification is not perfect, it's a rather simple solution.
    However, you must consider that there is no compatibility guarantee for
    an internal kernel interface (unlike the syscall interface).  We do not
    support binary compatiblity, and if you recompile and the interface has
    changed, the compiler will^Wshould catch prototype changes.  Similarly the
    verification will detect holes in the structure (perhaps minus the
    adjacent memory you mentioned above).
    
    Given that, I _am_ interested in a nice clean way to initialize the
    security_ops struct that allows the module author to only overwrite the
    hooks they care about (similar to the last solution you propose).  This
    is for code readability/maintainablity as well as possibly providing safe
    fail-close solution.
    
    thanks,
    -chris
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Apr 15 2002 - 10:22:54 PDT