Re: LSM Stacker

From: David A. Wheeler (dwheeler@private)
Date: Wed Jan 05 2005 - 08:51:39 PST


tvrtko.ursulin@private wrote:
> I know about general module unload race condition and that is not what is 
> worrying me. We have a privilege that LSM modules must call 
> mod_unreg_security and that is the place we can take care of any possible 
> race conditions.

Okay.

> As I wrote in post, the problem is that in order to update a module I need 
> to unload it. I can't unload it if somebody else has stacked onto me! I 
> also can't avoid the module unload race by leaving the module loaded since 
> then I can't load the same module again.

I'm not sure I understand the phrase "somebody else has stacked onto me".
Who is "me"?  The stacking module?


> Therefore it is clear that we need in kernel stacker manager because it is 
> impossible to make a 100% correct solution from a module. In that way any 
> module can unload and be replaced.

It seems to me the stacking module be able to handle this.
E.G. if we have
  "stacker1" managing "LSM-1" and "LSM-2", then it would
  be "stacker1"'s job to deal with unloading.

If subordinate modules also support stacking, then again
it's their problem. E.G., if we have:
  "stacker1" managing "LSM-1" and "stacker2", and
     "stacker2" maanges "LSM-5" and "LSM-6",
then unloading LSM-5 should be the problem of stacker2.
Unloading stacker2 in its entirety would be stacker1's problem.
"stacker2" might be SELinux, since it has some limited stacking
capabilities, but again, that would be ITS call.

Actually, my stacker included a mechanism to allow
"replacing" of modules; you identified the module to replace
and the pointers were adjusted so that future calls were
made to the new one rather than the old one (the old
one was automatically disabled).  My code only let you
replace the "first" or "last" one, though it could be
generalized.  In the end this was a one-line pointer
manipulation, with setup requiring to make the one-line
actually work.  Here's the code that did that:
                 ORDER_REPLACE_FIRST:
                         /* Can only get here if 1+ modules. */
                         new_module_entry->next = stacked_modules->next;
                         if (penultimate_stacked_module==stacked_modules) {
                                 /* EXACTLY 2 modules */
                                 penultimate_stacked_module = new_module_entry;
                         }
                         stacked_modules->next_inactive =
                                 inactive_stacked_modules;
                         inactive_stacked_modules = stacked_modules;
                         wmb();
                         stacked_modules = new_module_entry;
                         break;
                 ORDER_REPLACE_LAST:
                         /* Can only get here if 2+ modules. */
                         new_module_entry->next = NULL;
                         (penultimate_stacked_module->next)->next_inactive =
                                 inactive_stacked_modules;
                         inactive_stacked_modules =
                                 penultimate_stacked_module->next;
                         wmb();
                         penultimate_stacked_module->next = new_module_entry;
                         break;



I can't help but think we're talking past each other
somehow, but I can't put my finger on exactly what it is.
I'm sorry, I don't mean to seem dense; I just don't understand
what the problem is.  This doesn't really seem to be
a problem to me.

--- David A. Wheeler



This archive was generated by hypermail 2.1.3 : Wed Jan 05 2005 - 09:01:06 PST