Re: How to attach some config info permanently....

From: Seth Arnold (sarnoldat_private)
Date: Thu Jan 23 2003 - 11:26:23 PST

  • Next message: Stephen D. Smalley: "[patch] directly include security.h"

    On Thu, Jan 23, 2003 at 05:26:06PM +0800, ???? ???? wrote:
    > Here is the problem:
    > *** What if any other module uses task's void *security pointer and
    >     set it to some other value?( Do I realy need to maintain a
    >     hashlist of pid and confinfo in the module? )
    
    No; as a security module, you can prevent other modules from loading.
    Thus you can ensure that you are the only one using the security
    pointers.
    
    > *** In a module based on LSM, how to attach some config info
    >     permanently to an object(for example, from the point a task is
    >     forked until it exits)?  alloc_security() and free_security()
    >     seems useless here.
    > *** In fact, I don't know when do we need to use alloc_securit(),
    >     then set_security(), then free_security().Can anyone give me a
    >     scenario?
    
    The usage is that you allocate some storage (either on your own private
    slab, or through kmalloc) however much memory your need with
    alloc_security(), and attach the storage to the task with *security.
    Then, in set_security(), you compute whatever settings you'd like to
    apply to that specific task and store them in the storage your allocated
    earlier.
    
    Where this may break down is for tasks that existed before your module
    was loaded. SELinux probably has some hints :) probably in the form of
    preconditions. (Though their official position is that SELinux should be
    linked into the kernel image, to ensure that all processes are confined.)
    
    > *** Do u have any suggestions about the way I store the config info in   
    >     the kernel space? It may be very childish.
    
    I guess it mostly depends on your predicted access patterns for the
    data. Chances are good that using per-task structs stored on a private
    slab is the way to go. However, since your pathname strings may be
    rather long, you may see better results to have a structure of pointers
    to the strings stored in kmalloc()ed space.
    
    Check out Linux Device Drivers, 2nd edition, for details on creating
    your own private slabs: http://www.xml.com/ldd/chapter/book/
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 11:27:47 PST