> I wondered what you consider best for the communication between kernel- > and userland of a > LSM module (e.g. for reading in a configuration file)? > > I saw the lids lsm module uses filp_open() and parses the config file > within the module (which I consider > as unclean ...), selinux is using an own implementation fopen(). > At the moment I'm parsing the config file with a userland tool and I'm > using the sys_security syscall > to transfer all the information to the module ..but it's quite unhandy. > > What is your opinion on this? Note that SELinux has a userland tool (checkpolicy) that compiles the text-based policy configuration into a binary representation for the kernel before it is loaded by the kernel module (when it is called by the load_policy tool). Also, we have reimplemented this code in SELinux in preparation for submission to mainline 2.5 to have an interface more like init_module except using a pseudo filesystem rather than a syscall, i.e. the load_policy tool now simply opens and mmaps the binary policy file and then transfers it to the kernel module by writing it to a pseudo filesystem node. Note that sys_security has been removed from 2.5, so you cannot rely on it, and the entire SELinux API is being overhauled. A snapshot of the revised SELinux code should be available soon for public scrutiny. -- Stephen Smalley, NSA _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Apr 07 2003 - 08:53:28 PDT