Re: [PATCH] remove sys_security

From: Andreas Ferber (aferberat_private-bielefeld.de)
Date: Fri Oct 18 2002 - 04:43:11 PDT

  • Next message: Christoph Hellwig: "Re: [PATCH] remove sys_security"

    On Fri, Oct 18, 2002 at 11:25:02AM +0200, Andi Kleen wrote:
    > 
    > The 32bit and the 64bit worlds have different data types. Structure
    > layout are different. To handle this the kernel has an emulation
    > layer that converts the arguments of ioctls and system calls between 
    > 32bit and 64bit.
    > 
    > This emulation layer sits at the 'edge' of the kernel. For example
    > to convert an ioctl it first figures out the ioctl, converts it
    > then reissues the same ioctl internally with 64bit arguments. When
    > the ioctl returns outgoing arguments are converted too as needed.
    > 
    > For this to work all data structures need to be transparent.
    > The emulation layer needs to have a way to figure out what and
    > how to convert without looking at internal state in the kernel.
    > Otherwise it cannot do its job. 
    
    Why not let the security module supply the information about the
    struct layout?
    
    I'm thinking of something roughly like stdarg.h, e.g.
    
        #include <linux/user_args.h>
        
        user_args args;
    
        user_args_start(&args, ptr);
    
    where args is some variable where user_args can save internal state
    and ptr is the pointer to the struct from userland (which is
    translated appropriately to a kernel space pointer; maybe also a size
    argument might be handy, so that you can copy the struct from
    userspace memory to kernel memory at once instead of accessing user
    address space for every struct member individually), then
    
        struct.longlongmember = user_args_get(&args, long long);
    
    which applies the right alignment, translates 32bit to 64bit etc.
    Due to complexity probably one wants to restrict that to a set of
    common types instead of making it full generic (and e.g. use something
    like user_args_get_longlong() instead of the type argument), but I
    don't think this would be a serious restriction (you can always extend
    it later if you really need another type to get through).
    
    This wouldn't work on an architecture where members following later in
    a struct could affect the alignment of previous members, but are there
    any (sane) architectures around where this is the case? Personally I
    can't think of any reason why one possibly wanted to do that...
    
    Andreas
    -- 
           Andreas Ferber - dev/consulting GmbH - Bielefeld, FRG
         ---------------------------------------------------------
             +49 521 1365800 - afat_private - www.devcon.net
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 04:44:24 PDT