Re: [RFC] SO_PEERSEC - security credentials for Unix stream sockets

From: James Morris (jmorris@private)
Date: Tue Dec 16 2003 - 05:19:44 PST

  • Next message: Stephen Smalley: "Re: [RFC] SO_PEERSEC - security credentials for Unix stream sockets"

    On Mon, 15 Dec 2003, Chris Wright wrote:
    
    > * James Morris (jmorris@private) wrote:
    > > I'm not sure how this would be a namespace issue -- do you mean a data 
    > > format issue?
    > 
    > I just mean, applications are coded for specific security module.
    
    Applications which are security aware (i.e. only a few of them) will need 
    to know the semantics of the security model that they are interacting 
    with, so I'm not sure that namespace is going to be the biggest challenge.  
    
    A good way to handle this is to use external pluggable modules like PAM.
    
    > 
    > > Yep, allowing the security module to update the returned length is now
    > > implemented.
    > > 
    > > > Perhaps buffer is too small, can len be vector for that info?
    > > 
    > > I would not advise updating len on error -- it's a bad idea in general to
    > > interpret any returned data from failed syscalls except the error number.
    > 
    > Right, in some cases a NULL buffer or 0 buflen is a probe for size.
    
    It's not reliable: the required buffer size could change between calls.  
    Do you know of any examples of syscalls which do this?
    
    
    - James
    -- 
    James Morris
    <jmorris@private>
    



    This archive was generated by hypermail 2b30 : Tue Dec 16 2003 - 05:20:36 PST