Re: some questions

• Previous message: Greg KH: "Re: some questions"
• Maybe in reply to: magniett: "some questions"
• Next in thread: Niki Rahimi: "Re: some questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
> I'm working on a LSM policy dedicated to sandbox
> (http://www.lri.fr/~magniett/sblsm.html).

Do you really need a completely new security module, or could you use one 
of the existing security modules (e.g. SELinux, DTE) and merely customize the 
security policy configuration?  Your call, of course, but it might
save you some time if you can use an existing security module with
your own policy configuration.

> I was working on a 2.4.18-lsm1 version, waiting that the 2.5 api to
> stabilize.
> Now my policy seems to work a little bit, I'd like to port it for the
> 2.5 kernel serie and I have some questions :
> 
> - where are the socket hooks?
> - where are the module hooks?
> - where is the reboot hook?
> I cant find this in the 2.5.51 dummy.c file and nothing on this in the
> mailing-list.

Not all of the LSM hooks have been merged yet into the mainline 2.5 kernel,
e.g. some of the System V IPC hooks, some of the miscellaneous system hooks,
and the socket/networking hooks.  Since LSM is now completely configurable,
we can hopefully proceed to submit the remaining hooks.  However, note
that the module hooks were removed even from the lsm-2.5 BitKeeper tree
and patches after they were challenged by the kernel developers as being
useless, duplicative of the capability checks, and unused by any existing 
security module.  A similar fate may await some of the other hooks.

Until LSM is completely merged into the mainline 2.5 kernel, I'd suggest
using the lsm-2.5 BitKeeper tree.  It is presently at 2.5.50, but I'd
expect 2.5.51 to be merged relatively soon.

> - Is there a mean to know how many bytes are written on the disk for a
> write syscall?

Not using LSM.

> - Is there an "official" replacement for the sys_security syscall ?
> (perhaps a sysctl could be a good idea)

Not as far as I know.  Creating your own pseudo filesystem type seems
to be the preferred method.

--
Stephen Smalley, NSA
sdsat_private

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Niki Rahimi: "Re: some questions"
• Previous message: Greg KH: "Re: some questions"
• Maybe in reply to: magniett: "some questions"
• Next in thread: Niki Rahimi: "Re: some questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 13 2002 - 10:56:31 PST