Hi! I'm working on a MEC(Mandatory Execution Control) module based on the LSM infrastructure of linux-2.4.19. The module's config file is /etc/mec.conf. In the config file, for example: /bin/bash !{ /bin/ping } #This means a /bin/bash process can execute anything but /bin/ping. /bin/tcsh { /bin/ls } #This means a /bin/tcsh process can only execute /bin/ls. In the module init function, First, it reads its config file, parse it, extract legal config entrys from it and store them( in the space kmalloced ) in kernel space in the form of a list: conf_list_head-->|(first conf info node)| |(second conf info node)| |Name:/bin/bash | |Name:/bin/tcsh | |Logic:list_deny | |Logic:list_allow | |binlist:/bin/ping | |binlist:/bin/ls | |next---------------------->|next------------------------->.... Then it tries to attach proper mec config info to every process: lock_kernel(); for_each_task(taskp) set_task_mec_info(taskp); unlock_kernel(); Here set_task_mec_info() first tries to get the process's full pathname (for example: /usr/sbin/httpd) (Currently, I have trouble doing this. Chris told me to use the code of proc_exe_link. I think that the code of proc_exe_link is just what I need. I tried but when make module_install, depmod said :Unresolved symbol : mmput . I don't know why. I have included sched.h in the module. This problem may be stupid. But infact I'm new to linux. Please help me with this. ) Then search through the conf list to see if there is an entry for this pathname. If find one, then set this task's void *security( in the task_struct ) to point to the conf info node. Here is the problem: *** What if any other module uses task's void *security pointer and set it to some other value?( Do I realy need to maintain a hashlist of pid and confinfo in the module? ) *** In a module based on LSM, how to attach some config info permanently to an object(for example, from the point a task is forked until it exits)? alloc_security() and free_security() seems useless here. *** In fact, I don't know when do we need to use alloc_securit(), then set_security(), then free_security().Can anyone give me a scenario? *** Do u have any suggestions about the way I store the config info in the kernel space? It may be very childish. Thanks. X.H.Beijing _________________________________________________________________ ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 01:24:45 PST