RE: How to attach some config info permanently....

From: jan-erik.ekbergat_private
Date: Thu Jan 23 2003 - 02:36:01 PST

  • Next message: Seth Arnold: "Re: How to attach some config info permanently...."

    Hi,
     
    I guess I could be of some help before USA wakes up, some of
    these 'confusions' I remember having myself. Like you, I am not
    a kernel expert, so there may be a deeper truth to these answers.
     
     I tried but when make module_install, depmod said :Unresolved symbol : mmput .
    
    The file linux/kernel/ksyms.c (or some similar place, e.g. arch/um/kernel/ksyms.c 
    if you are using usermode-linux) contains definitions for functions (symbols) that
    are visible to you as a 'module maker'.  You can add new definitions 
    (like EXPORT_SYMBOL(mmput)) and recompile the kernel (add a suitable prototype
    as well, the function is in kernel/fork.c), but remember that you are not 'kernel-indepent' 
    any more in that case. Probably you are using a  function or a symbol that is not 'meant 
    to be used' and there may be some other way to resolve the information you need.
     
      *** In a module based on LSM, how to attach some config info permanently to an object
     
    The security pointers are just for that. Like  'If find one, then set this task's 
    void *security( in the task_struct ) to point ...', You have to take care of memory
    allocation yourself, though. See the documentation at lsm.immunix.org. And I guess there
    is no clear solution to the problem that several modules may use these pointers, but
    if my memory serves me right that was discussed on this list a while ago 
    (look at the archives), so maybe things are improving in future versions of LSM.
    
    Do you really have to resolve PIDs <-> executable names in the kerne for running processes? 
    Couldn't you use the /proc in userspace, and only for 'new processes' kernel resolving.  At 
    least in the 'old' version of LSM I am using you can get to the name in 
    'binprm_alloc_security' with something like bprm->file->f_dentry->d_name.name which is
    called prior to loading the executable.
     
    Hope this is of some use to you.
     
     Reg.
                   Jan-Erik
     
    
    	-----Original Message----- 
    	From: ext 东方 蠡文 [mailto:phanixat_private] 
    	Sent: Thu 1/23/2003 11:26 AM 
    	To: linux-security-moduleat_private 
    	Cc: 
    	Subject: How to attach some config info permanently....
    	
    	
    
    
    	Hi!
    	
    	 I'm working on a MEC(Mandatory Execution Control) module based on
    	 the LSM infrastructure of linux-2.4.19.
    	 The module's config file is /etc/mec.conf. In the config file, for
    	example:
    	
    	 /bin/bash
    	 !{
    	  /bin/ping
    	 }
    	 #This means a /bin/bash process can execute anything but /bin/ping.
    	
    	 /bin/tcsh
    	 {
    	  /bin/ls
    	 }
    	 #This means a /bin/tcsh process can only execute /bin/ls.
    	
    	 In the module init function,
    	 First, it reads its config file, parse it, extract legal
    	 config entrys from it and store them( in the space kmalloced ) in kernel
    	space
    	 in the form of a list:
    	
    	 conf_list_head-->|(first conf info node)|    |(second conf info node)|
    	                  |Name:/bin/bash        |    |Name:/bin/tcsh         |
    	                  |Logic:list_deny       |    |Logic:list_allow       |
    	                  |binlist:/bin/ping     |    |binlist:/bin/ls        |
    	                 
    	|next---------------------->|next------------------------->....
    	
    	 Then it tries to attach proper mec config info to every process:
    	
    	 lock_kernel();
    	 for_each_task(taskp)
    	   set_task_mec_info(taskp);
    	 unlock_kernel();
    	
    	 Here set_task_mec_info() first tries to get the process's full pathname
    	 (for example: /usr/sbin/httpd)
    	 (Currently, I have trouble doing this. Chris told me to use the code
    	  of proc_exe_link. I think that the code of proc_exe_link is just what I
    	need.
    	  I tried but when make module_install, depmod said :Unresolved symbol :
    	mmput .
    	  I don't know why. I have included sched.h in the module.
    	  This problem may be stupid. But infact I'm new to linux. Please help me
    	with
    	  this. )
    	 Then search through the conf list to see if there is an entry for this
    	pathname.
    	 If find one, then set this task's void *security( in the task_struct ) to
    	point
    	 to the conf info node.
    	
    	 Here is the problem:
    	 *** What if any other module uses task's void *security pointer and set it
    	to
    	     some other value?( Do I realy need to maintain a hashlist of pid and
    	confinfo
    	     in the module? )
    	 *** In a module based on LSM, how to attach some config info permanently
    	to an
    	     object(for example, from the point a task is forked until it exits)?
    	     alloc_security() and free_security() seems useless here.
    	 *** In fact, I don't know when do we need to use alloc_securit(),
    	     then set_security(), then free_security().Can anyone give me a
    	scenario?
    	 *** Do u have any suggestions about the way I store the config info in  
    	     the kernel space? It may be very childish.
    	
    	 Thanks.
    	
    	                                                         X.H.Beijing
    	
    	_________________________________________________________________
    	享用世界上最大的电子邮件系统— MSN Hotmail。  http://www.hotmail.com 
    	
    	_______________________________________________
    	linux-security-module mailing list
    	linux-security-moduleat_private
    	http://mail.wirex.com/mailman/listinfo/linux-security-module
    
    	
    
    )ǜjWj)b	b)ǜjWi\"\oj)fjb?)ǜj



    This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 02:36:31 PST