Re: Stacking - anyone care how to report module id's?

• Previous message: Chris Wright: "Re: Stacking - anyone care how to report module id's?"
• In reply to: Chris Wright: "Re: Stacking - anyone care how to report module id's?"
• Next in thread: David Wheeler: "Re: Stacking - anyone care how to report module id's?"
• Next in thread: Crispin Cowan: "Re: Stacking - anyone care how to report module id's?"
• Reply: David Wheeler: "Re: Stacking - anyone care how to report module id's?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris Wright wrote:

>This is how I'd do it as well (of course, with the unlock bug that
>Greg pointed out fixed ;-).  I know Crispin doesn't find this elegant,
>but the overhead is not critical, and it's consistent with other bits
>of the kernel (for example, binfmt handlers) and even other projects
>(apache module handling is done this way).
>
>If this polling style leaves a sour taste you could certainly create
>a stacker protocol that does more efficient dispatching.  The
>mod_reg_security() interface (which the subordinate modules will use
>to register with the stacker) contains the parts necessary to do this.
>The name string could be required (by stacker protocol) to be one of two
>things: 1) the string used by the module when generating the md5sum'd ID;
>2) the string version of the ID.  You get the idea...
>
The idea above came about from chatting with Chris this afternoon. 
There's something really neat here, which I don't think is conveyed in 
the text above.

Previously, Wheeler proposed that the module ID should be defined as the 
first 32 bits of the MD5 of the module's name. One & all liked that 
idea, but did not agree on a strict specification of the text to be fed 
to MD5 to come up with this checksum, leading to module ID ambiguity, 
etc. etc.

Now suppose that the Stacker module imposes (only on modules to be 
stacked by Stacker, of course) a strict protocol in which the module ID 
is exactly the MD5 of the name fed to mod_reg_security(). Its important 
that it be strict, because Stacker can use this name to compute the ID 
of the module just loaded.

So, with no change in the interface at all, Wheeler can do indexed 
lookup of modules. All that is required is for modules that want to play 
with Stacker stictly conform to Stacker's view of the mapping from name 
to ID.

Chris tells me that he vaguely recalls one of the players here who used 
the entire project title phrase as the MD5 input, rather than the short 
name. I suspect that most everyone used some variation on their own 
name. IMHO, just having a strict interpretation of what you should MD5 
to get your ID # is a benefit in itself.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Wayne Salamon: "New sock security patches"
• Previous message: Chris Wright: "Re: Stacking - anyone care how to report module id's?"
• In reply to: Chris Wright: "Re: Stacking - anyone care how to report module id's?"
• Next in thread: David Wheeler: "Re: Stacking - anyone care how to report module id's?"
• Next in thread: Crispin Cowan: "Re: Stacking - anyone care how to report module id's?"
• Reply: David Wheeler: "Re: Stacking - anyone care how to report module id's?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 26 2002 - 16:28:59 PDT