Re: OLS Bof info

• Previous message: jmjonesat_private: "Re: OLS Bof info"
• In reply to: jmjonesat_private: "Re: OLS Bof info"
• Next in thread: jmjonesat_private: "Re: OLS Bof info"
• Reply: jmjonesat_private: "Re: OLS Bof info"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

jmjonesat_private wrote:

>On Sat, 29 Jun 2002, Chris Wright wrote:
>  
>
>>* James Morris (jmorrisat_private) wrote:
>>    
>>
>>>On Thu, 27 Jun 2002, Seth Arnold wrote:
>>>      
>>>
>>>>Chris offfers a beer to whoever can come up with a slick solution so
>>>>that module authors don't have to define functions they don't care
>>>>about.
>>>>        
>>>>
>>>I think this can be done relatively simply once the hooks are flattened 
>>>out (I looked at this some months ago, and managing the double pointers 
>>>was the only problem, IIRC).
>>>      
>>>
>>the main thing i want to avoid is fooling the module into thinking it
>>has filled in all callbacks when defaults are automagically used.
>>    
>>
>As king of the "relatively stupid questions", can I ask somebody to
>
:)

>briefly explain:
>
>ASSUMPTION: the interface still allows ONE registration of the LSM
>structure, and all subsequent MUST be subordinately registered by the
>primary module. (I've been working off-the-tree for some time.)
>
This issue has little to do with module stacking. It has to do with 
version control of the interface between kernels and modules. The 
pathology we seek to avoid is that the kernel is upgraded to a new LSM 
interface that includes new/different hooks, and someone loads an older 
module. We do not want the system to result in a "failed open" state 
where some critical hook is *not* mediated because the older module did 
not know that hook existed.

However, JM does raise a good point: the same problem re-occurs in the 
context of module stacking, where each module exports an LSM interface 
out the back end for the next module.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: jmjonesat_private: "Re: OLS Bof info"
• Previous message: jmjonesat_private: "Re: OLS Bof info"
• In reply to: jmjonesat_private: "Re: OLS Bof info"
• Next in thread: jmjonesat_private: "Re: OLS Bof info"
• Reply: jmjonesat_private: "Re: OLS Bof info"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 29 2002 - 10:47:32 PDT