Looking at the arch specific stuff, there is a hook in sys_iopl and sys_ioperm. Paul Mackerras pointed out to me that all I/O on the ppc is memory mapped. After hearing that, I was concerned that this might lead to alternate platform security holes if the module writer puts different checks in the sys_iopl and sys_ioperm hooks than in the memory mapping hooks. But none of the current modules, selinux, dte, lids, owlsm capabilities, dummy actually use the hooks. SELinux has a comment to say that they use the CAP_RAWIO capability to handle the issue. Are these hooks really desirable given that they might lead to easily overlooked security bugs on non-Intel platforms? If they are really desirable, should we warn the module writer that their module might not work as expected on non-Intel platforms in the comment for them in security.h? Emily -- Emily Ratliff IBM Linux Technology Center, Security _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jul 23 2002 - 16:21:01 PDT