Re: Updated BSD Secure Levels Patch

From: Petr Baudis (pasky@private)
Date: Sat Jan 10 2004 - 08:31:37 PST

  • Next message: Chris Wright: "Docu for sb_kern_mount hook"

    Dear diary, on Wed, Dec 03, 2003 at 10:47:08PM CET, I got a letter,
    where Michael Halcrow <mahalcro@private> told me, that...
    > This patches security/Makefile and security/Kconfig and creates
    > security/seclvl.c.  Previous patches that Serge sent to this list
    > address the settime hooks.
    > Changelog:
    >    12/02/2003  Updated by Michael A. Halcrow:
    >      1. Removed seclvl from /proc filesystem.
    >      2. Generated seclvl directory, with seclvl and passwd
    >              attributes, in the sysfs filesystem.
    >      3. Implemented password-based secure level reduction.  The
    >              password may be passed in either as plain text via the
    >              plaintextPassword module parameter, or in its
    >              hexadecimal SHA1 form via the sha1Password module
    >              parameter.  Note that you can generate the SHA1
    >              representation of a password with the sha1sum utility:
    >              echo -n "secret" | sha1sum
    >      4. Implemented rate-limiting of kernel messages to the log.
    > Notice that, when you compile the module into the kernel, the initial
    > secure level is set to 0, as opposed to when you compile the module
    > as a stand-alone, in which case the initial secure level is set to 1.
    > Most distributions out there want to be able to load modules and the
    > sort while booting.
    Maybe you would be interested in one rather old patch available at, basically
    setting up the common 'security' subsystem for all LSMs to use. Despite
    its age I think it should still apply cleanly (mainly because it is
    really trivial). It was already reviewed by few people, but it got stuck
    on my lack of time to convert any existing LSM module to it, but if you
    used it, it could probably go to the kernel along it ;-).
    In fact, one LSM module used the sysfs infrastructure already (through
    the patch above) - I thought the
    idea was quite neat, but there was a complete lack of interest in this
    so I dismissed it for now. (I doubt you are interested in that at all,
    but just in case you would care, what do you think about it?)
    Kind regards,
    				Petr "Pasky" Baudis
    If a train station is where the train stops, what is a work station? --mj

    This archive was generated by hypermail 2b30 : Sat Jan 10 2004 - 08:33:04 PST