RE: How to attach some config info permanently....

• Previous message: ���� ��: "How to attach some config info permanently...."
• Maybe in reply to: ���� ��: "How to attach some config info permanently...."
• Next in thread: Seth Arnold: "Re: How to attach some config info permanently...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
 
I guess I could be of some help before USA wakes up, some of
these 'confusions' I remember having myself. Like you, I am not
a kernel expert, so there may be a deeper truth to these answers.
 
 I tried but when make module_install, depmod said :Unresolved symbol : mmput .

The file linux/kernel/ksyms.c (or some similar place, e.g. arch/um/kernel/ksyms.c 
if you are using usermode-linux) contains definitions for functions (symbols) that
are visible to you as a 'module maker'.  You can add new definitions 
(like EXPORT_SYMBOL(mmput)) and recompile the kernel (add a suitable prototype
as well, the function is in kernel/fork.c), but remember that you are not 'kernel-indepent' 
any more in that case. Probably you are using a  function or a symbol that is not 'meant 
to be used' and there may be some other way to resolve the information you need.
 
  *** In a module based on LSM, how to attach some config info permanently to an object
 
The security pointers are just for that. Like  'If find one, then set this task's 
void *security( in the task_struct ) to point ...', You have to take care of memory
allocation yourself, though. See the documentation at lsm.immunix.org. And I guess there
is no clear solution to the problem that several modules may use these pointers, but
if my memory serves me right that was discussed on this list a while ago 
(look at the archives), so maybe things are improving in future versions of LSM.

Do you really have to resolve PIDs <-> executable names in the kerne for running processes? 
Couldn't you use the /proc in userspace, and only for 'new processes' kernel resolving.  At 
least in the 'old' version of LSM I am using you can get to the name in 
'binprm_alloc_security' with something like bprm->file->f_dentry->d_name.name which is
called prior to loading the executable.
 
Hope this is of some use to you.
 
 Reg.
               Jan-Erik
 

	-----Original Message----- 
	From: ext 东方 蠡文 [mailto:phanix@hotmail.com] 
	Sent: Thu 1/23/2003 11:26 AM 
	To: linux-security-module@wirex.com 
	Cc: 
	Subject: How to attach some config info permanently....
	
	


	Hi!
	
	 I'm working on a MEC(Mandatory Execution Control) module based on
	 the LSM infrastructure of linux-2.4.19.
	 The module's config file is /etc/mec.conf. In the config file, for
	example:
	
	 /bin/bash
	 !{
	  /bin/ping
	 }
	 #This means a /bin/bash process can execute anything but /bin/ping.
	
	 /bin/tcsh
	 {
	  /bin/ls
	 }
	 #This means a /bin/tcsh process can only execute /bin/ls.
	
	 In the module init function,
	 First, it reads its config file, parse it, extract legal
	 config entrys from it and store them( in the space kmalloced ) in kernel
	space
	 in the form of a list:
	
	 conf_list_head-->|(first conf info node)|    |(second conf info node)|
	                  |Name:/bin/bash        |    |Name:/bin/tcsh         |
	                  |Logic:list_deny       |    |Logic:list_allow       |
	                  |binlist:/bin/ping     |    |binlist:/bin/ls        |
	                 
	|next---------------------->|next------------------------->....
	
	 Then it tries to attach proper mec config info to every process:
	
	 lock_kernel();
	 for_each_task(taskp)
	   set_task_mec_info(taskp);
	 unlock_kernel();
	
	 Here set_task_mec_info() first tries to get the process's full pathname
	 (for example: /usr/sbin/httpd)
	 (Currently, I have trouble doing this. Chris told me to use the code
	  of proc_exe_link. I think that the code of proc_exe_link is just what I
	need.
	  I tried but when make module_install, depmod said :Unresolved symbol :
	mmput .
	  I don't know why. I have included sched.h in the module.
	  This problem may be stupid. But infact I'm new to linux. Please help me
	with
	  this. )
	 Then search through the conf list to see if there is an entry for this
	pathname.
	 If find one, then set this task's void *security( in the task_struct ) to
	point
	 to the conf info node.
	
	 Here is the problem:
	 *** What if any other module uses task's void *security pointer and set it
	to
	     some other value?( Do I realy need to maintain a hashlist of pid and
	confinfo
	     in the module? )
	 *** In a module based on LSM, how to attach some config info permanently
	to an
	     object(for example, from the point a task is forked until it exits)?
	     alloc_security() and free_security() seems useless here.
	 *** In fact, I don't know when do we need to use alloc_securit(),
	     then set_security(), then free_security().Can anyone give me a
	scenario?
	 *** Do u have any suggestions about the way I store the config info in  
	     the kernel space? It may be very childish.
	
	 Thanks.
	
	                                                         X.H.Beijing
	
	_________________________________________________________________
	享用世界上最大的电子邮件系统— MSN Hotmail。  http://www.hotmail.com 
	
	_______________________________________________
	linux-security-module mailing list
	linux-security-module@wirex.com
	http://mail.wirex.com/mailman/listinfo/linux-security-module

	

�)��ǜ����j�W�j)b�	b�)��ǜ����j�W������i����\"��\�o�j)fj��b��?�)��ǜ����j

• Next message: Seth Arnold: "Re: How to attach some config info permanently...."
• Previous message: ���� ��: "How to attach some config info permanently...."
• Maybe in reply to: ���� ��: "How to attach some config info permanently...."
• Next in thread: Seth Arnold: "Re: How to attach some config info permanently...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 02:36:31 PST