Hi, I guess I could be of some help before USA wakes up, some of these 'confusions' I remember having myself. Like you, I am not a kernel expert, so there may be a deeper truth to these answers. I tried but when make module_install, depmod said :Unresolved symbol : mmput . The file linux/kernel/ksyms.c (or some similar place, e.g. arch/um/kernel/ksyms.c if you are using usermode-linux) contains definitions for functions (symbols) that are visible to you as a 'module maker'. You can add new definitions (like EXPORT_SYMBOL(mmput)) and recompile the kernel (add a suitable prototype as well, the function is in kernel/fork.c), but remember that you are not 'kernel-indepent' any more in that case. Probably you are using a function or a symbol that is not 'meant to be used' and there may be some other way to resolve the information you need. *** In a module based on LSM, how to attach some config info permanently to an object The security pointers are just for that. Like 'If find one, then set this task's void *security( in the task_struct ) to point ...', You have to take care of memory allocation yourself, though. See the documentation at lsm.immunix.org. And I guess there is no clear solution to the problem that several modules may use these pointers, but if my memory serves me right that was discussed on this list a while ago (look at the archives), so maybe things are improving in future versions of LSM. Do you really have to resolve PIDs <-> executable names in the kerne for running processes? Couldn't you use the /proc in userspace, and only for 'new processes' kernel resolving. At least in the 'old' version of LSM I am using you can get to the name in 'binprm_alloc_security' with something like bprm->file->f_dentry->d_name.name which is called prior to loading the executable. Hope this is of some use to you. Reg. Jan-Erik -----Original Message----- From: ext 东方 蠡文 [mailto:phanixat_private] Sent: Thu 1/23/2003 11:26 AM To: linux-security-moduleat_private Cc: Subject: How to attach some config info permanently.... Hi! I'm working on a MEC(Mandatory Execution Control) module based on the LSM infrastructure of linux-2.4.19. The module's config file is /etc/mec.conf. In the config file, for example: /bin/bash !{ /bin/ping } #This means a /bin/bash process can execute anything but /bin/ping. /bin/tcsh { /bin/ls } #This means a /bin/tcsh process can only execute /bin/ls. In the module init function, First, it reads its config file, parse it, extract legal config entrys from it and store them( in the space kmalloced ) in kernel space in the form of a list: conf_list_head-->|(first conf info node)| |(second conf info node)| |Name:/bin/bash | |Name:/bin/tcsh | |Logic:list_deny | |Logic:list_allow | |binlist:/bin/ping | |binlist:/bin/ls | |next---------------------->|next------------------------->.... Then it tries to attach proper mec config info to every process: lock_kernel(); for_each_task(taskp) set_task_mec_info(taskp); unlock_kernel(); Here set_task_mec_info() first tries to get the process's full pathname (for example: /usr/sbin/httpd) (Currently, I have trouble doing this. Chris told me to use the code of proc_exe_link. I think that the code of proc_exe_link is just what I need. I tried but when make module_install, depmod said :Unresolved symbol : mmput . I don't know why. I have included sched.h in the module. This problem may be stupid. But infact I'm new to linux. Please help me with this. ) Then search through the conf list to see if there is an entry for this pathname. If find one, then set this task's void *security( in the task_struct ) to point to the conf info node. Here is the problem: *** What if any other module uses task's void *security pointer and set it to some other value?( Do I realy need to maintain a hashlist of pid and confinfo in the module? ) *** In a module based on LSM, how to attach some config info permanently to an object(for example, from the point a task is forked until it exits)? alloc_security() and free_security() seems useless here. *** In fact, I don't know when do we need to use alloc_securit(), then set_security(), then free_security().Can anyone give me a scenario? *** Do u have any suggestions about the way I store the config info in the kernel space? It may be very childish. Thanks. X.H.Beijing _________________________________________________________________ 享用世界上最大的电子邮件系统— MSN Hotmail。 http://www.hotmail.com _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module )ǜjWj)b b)ǜjWi\"\oj)fjb?)ǜj
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 02:36:31 PST