Re: LSM patch for Linux-2.4.20-8

From: Crispin Cowan (crispin@private)
Date: Wed Jan 19 2005 - 00:47:28 PST


LSM is only really standardized for Linux 2.6. LSM for various 2.4 
kernels is always somebody's custom port of something.

Are you doing all this work for learning for for production?

    * If for learning, then you should use the 2.6 kernel, as it is much
      more constructive and useful to work on building your module than
      to mess with trying to make patches fit.
    * If for production, then you should seriously look again at
      existing modules. It will be a long time before the from-scratch
      module you appear to be trying to build will be production-ready
      and secure.

Crispin

Syed Ahemed wrote:

>Is there an LSM patch for linux-2.4.20-8  ?
>I tried applying the patch-2.4.20-lsm1.gz to the version
>linux-2.4.20-8 to find the following rejects.
>The kernel doesnt compile due to these errors.
>
>bash-2.05b# zcat /usr/src/patches/patch-2.4.20-lsm1.gz | patch -p1
>patching file Documentation/Configure.help
>Hunk #1 succeeded at 26233 with fuzz 2 (offset -8 lines).
>patching file Documentation/DocBook/Makefile
>patching file Documentation/DocBook/deviceiobook.tmpl
>patching file Documentation/DocBook/kernel-api.tmpl
>patching file Documentation/DocBook/lsm.tmpl
>patching file Makefile
>Hunk #1 FAILED at 1.
>Hunk #2 FAILED at 121.
>Hunk #3 succeeded at 262 (offset 10 lines).
>2 out of 3 hunks FAILED -- saving rejects to file Makefile.rej
>patching file arch/i386/boot/compressed/Makefile
>patching file arch/i386/config.in
>Hunk #1 succeeded at 506 (offset 51 lines).
>patching file arch/i386/kernel/entry.S
>Hunk #1 FAILED at 627.
>1 out of 1 hunk FAILED -- saving rejects to file arch/i386/kernel/entry.S.rej
>patching file arch/i386/kernel/ioport.c
>patching file arch/i386/kernel/ptrace.c
>Hunk #2 succeeded at 240 (offset 81 lines).
>patching file arch/ia64/config.in
>Hunk #1 succeeded at 287 (offset -6 lines).
>patching file arch/ia64/ia32/sys_ia32.c
>Hunk #2 succeeded at 3281 (offset 89 lines).
>patching file arch/ia64/kernel/entry.S
>patching file arch/ia64/kernel/ptrace.c
>Hunk #1 succeeded at 16 (offset 1 line).
>Hunk #2 succeeded at 1159 (offset 60 lines).
>patching file drivers/char/tty_io.c
>Hunk #1 succeeded at 1472 (offset 5 lines).
>patching file fs/attr.c
>patching file fs/buffer.c
>Hunk #1 succeeded at 2877 (offset 13 lines).
>patching file fs/dnotify.c
>patching file fs/dquot.c
>Hunk #1 succeeded at 1321 (offset -19 lines).
>Hunk #2 FAILED at 1417.
>1 out of 2 hunks FAILED -- saving rejects to file fs/dquot.c.rej
>patching file fs/exec.c
>Hunk #1 succeeded at 763 (offset 133 lines).
>Hunk #3 succeeded at 819 (offset 133 lines).
>Hunk #5 succeeded at 913 (offset 133 lines).
>Hunk #7 succeeded at 1006 (offset 133 lines).
>Hunk #9 succeeded at 1045 (offset 133 lines).
>patching file fs/fcntl.c
>Hunk #2 succeeded at 260 (offset -19 lines).
>Hunk #4 succeeded at 333 (offset -19 lines).
>Hunk #6 succeeded at 402 (offset -19 lines).
>patching file fs/file_table.c
>patching file fs/inode.c
>Hunk #2 FAILED at 76.
>Hunk #3 succeeded at 1069 (offset 2 lines).
>1 out of 3 hunks FAILED -- saving rejects to file fs/inode.c.rej
>patching file fs/ioctl.c
>patching file fs/locks.c
>Hunk #1 succeeded at 1286 (offset 11 lines).
>Hunk #3 succeeded at 1411 (offset 11 lines).
>Hunk #5 succeeded at 1442 (offset 11 lines).
>Hunk #7 succeeded at 1484 (offset 11 lines).
>Hunk #8 FAILED at 1491.
>Hunk #10 succeeded at 1517 (offset 11 lines).
>Hunk #12 succeeded at 1581 (offset 11 lines).
>Hunk #14 succeeded at 1625 (offset 11 lines).
>Hunk #15 FAILED at 1632.
>Hunk #17 succeeded at 1659 (offset 11 lines).
>2 out of 18 hunks FAILED -- saving rejects to file fs/locks.c.rej
>patching file fs/namei.c
>Hunk #4 FAILED at 346.
>Hunk #5 succeeded at 357 (offset 2 lines).
>Hunk #7 succeeded at 826 (offset 12 lines).
>Hunk #8 succeeded at 989 (offset 2 lines).
>Hunk #9 succeeded at 1040 (offset 12 lines).
>Hunk #10 succeeded at 1211 (offset 2 lines).
>Hunk #11 succeeded at 1290 (offset 12 lines).
>Hunk #12 succeeded at 1354 (offset 2 lines).
>Hunk #13 succeeded at 1463 (offset 12 lines).
>Hunk #14 succeeded at 1526 (offset 2 lines).
>Hunk #15 succeeded at 1608 (offset 12 lines).
>Hunk #16 succeeded at 1609 (offset 2 lines).
>Hunk #17 succeeded at 1687 (offset 12 lines).
>Hunk #18 succeeded at 1688 (offset 2 lines).
>Hunk #19 succeeded at 1813 (offset 12 lines).
>Hunk #20 succeeded at 1843 (offset 2 lines).
>Hunk #21 succeeded at 1888 (offset 12 lines).
>Hunk #22 succeeded at 1896 (offset 2 lines).
>1 out of 22 hunks FAILED -- saving rejects to file fs/namei.c.rej
>patching file fs/namespace.c
>patching file fs/nfsd/nfsctl.c
>patching file fs/nfsd/nfsfh.c
>patching file fs/open.c
>patching file fs/proc/base.c
>Hunk #1 FAILED at 329.
>1 out of 1 hunk FAILED -- saving rejects to file fs/proc/base.c.rej
>patching file fs/read_write.c
>Hunk #6 succeeded at 357 (offset 7 lines).
>Hunk #8 succeeded at 417 (offset 7 lines).
>patching file fs/readdir.c
>patching file fs/stat.c
>Hunk #3 succeeded at 161 (offset 119 lines).
>Hunk #4 FAILED at 200.
>Hunk #5 succeeded at 184 (offset -90 lines).
>Hunk #6 FAILED at 203.
>2 out of 6 hunks FAILED -- saving rejects to file fs/stat.c.rej
>patching file fs/super.c
>Hunk #1 FAILED at 27.
>Hunk #2 succeeded at 290 (offset 24 lines).
>Hunk #3 succeeded at 289 with fuzz 2 (offset 3 lines).
>Hunk #4 succeeded at 322 (offset 24 lines).
>Hunk #5 succeeded at 867 (offset 81 lines).
>Hunk #6 succeeded at 836 (offset 24 lines).
>1 out of 6 hunks FAILED -- saving rejects to file fs/super.c.rej
>patching file include/linux/binfmts.h
>Hunk #1 succeeded at 30 (offset 3 lines).
>patching file include/linux/fs.h
>Hunk #2 succeeded at 484 (offset 3 lines).
>Hunk #3 succeeded at 553 (offset 33 lines).
>Hunk #4 succeeded at 541 (offset 3 lines).
>Hunk #5 succeeded at 588 (offset 33 lines).
>Hunk #6 FAILED at 652.
>Hunk #7 succeeded at 730 (offset -2 lines).
>1 out of 7 hunks FAILED -- saving rejects to file include/linux/fs.h.rej
>patching file include/linux/input.h
>Hunk #1 succeeded at 474 (offset 1 line).
>patching file include/linux/ip.h
>patching file include/linux/ipc.h
>patching file include/linux/msg.h
>patching file include/linux/netdevice.h
>Hunk #1 succeeded at 445 (offset 7 lines).
>patching file include/linux/sched.h
>Hunk #1 succeeded at 509 with fuzz 2 (offset 99 lines).
>Hunk #2 succeeded at 724 (offset -16 lines).
>Hunk #3 succeeded at 855 (offset 99 lines).
>patching file include/linux/security.h
>patching file include/linux/shm.h
>patching file include/linux/skbuff.h
>patching file include/net/sock.h
>Hunk #1 succeeded at 678 with fuzz 2 (offset 10 lines).
>Hunk #2 succeeded at 684 (offset 1 line).
>Hunk #3 succeeded at 1158 (offset 10 lines).
>Hunk #4 succeeded at 1161 (offset 1 line).
>patching file include/net/tcp.h
>Hunk #1 succeeded at 520 (offset 1 line).
>patching file init/do_mounts.c
>Hunk #1 succeeded at 914 with fuzz 1 (offset 26 lines).
>patching file init/main.c
>Hunk #1 FAILED at 27.
>Hunk #2 succeeded at 407 (offset -4 lines).
>1 out of 2 hunks FAILED -- saving rejects to file init/main.c.rej
>patching file ipc/msg.c
>patching file ipc/sem.c
>patching file ipc/shm.c
>patching file ipc/util.c
>patching file kernel/acct.c
>Hunk #1 succeeded at 183 (offset 1 line).
>patching file kernel/capability.c
>Hunk #1 succeeded at 59 (offset 2 lines).
>Hunk #2 FAILED at 88.
>Hunk #3 FAILED at 107.
>Hunk #5 succeeded at 178 (offset 2 lines).
>2 out of 5 hunks FAILED -- saving rejects to file kernel/capability.c.rej
>patching file kernel/exit.c
>Hunk #1 FAILED at 13.
>Hunk #2 FAILED at 48.
>Hunk #3 succeeded at 1002 with fuzz 2 (offset 475 lines).
>2 out of 3 hunks FAILED -- saving rejects to file kernel/exit.c.rej
>patching file kernel/fork.c
>Hunk #1 FAILED at 22.
>Hunk #2 succeeded at 708 with fuzz 2 (offset 112 lines).
>Hunk #3 FAILED at 792.
>Hunk #4 succeeded at 846 with fuzz 2 (offset 69 lines).
>2 out of 4 hunks FAILED -- saving rejects to file kernel/fork.c.rej
>patching file kernel/kmod.c
>Hunk #1 succeeded at 125 (offset -7 lines).
>patching file kernel/ksyms.c
>Hunk #1 succeeded at 198 (offset 26 lines).
>patching file kernel/module.c
>Hunk #3 succeeded at 508 (offset 3 lines).
>Hunk #5 succeeded at 668 (offset 3 lines).
>patching file kernel/printk.c
>Hunk #1 succeeded at 173 (offset 1 line).
>patching file kernel/ptrace.c
>Reversed (or previously applied) patch detected!  Assume -R? [n]
>Apply anyway? [n] y
>Hunk #1 FAILED at 82.
>Hunk #2 FAILED at 96.
>Hunk #3 FAILED at 104.
>Hunk #4 FAILED at 127.
>4 out of 4 hunks FAILED -- saving rejects to file kernel/ptrace.c.rej
>patching file kernel/sched.c
>Hunk #1 FAILED at 29.
>Hunk #2 FAILED at 862.
>Hunk #3 FAILED at 883.
>Hunk #4 succeeded at 1597 with fuzz 2 (offset 640 lines).
>Hunk #5 FAILED at 1638.
>Hunk #6 FAILED at 1664.
>Hunk #7 FAILED at 1788.
>Hunk #8 FAILED at 1935.
>7 out of 8 hunks FAILED -- saving rejects to file kernel/sched.c.rej
>patching file kernel/signal.c
>Hunk #1 FAILED at 525.
>1 out of 1 hunk FAILED -- saving rejects to file kernel/signal.c.rej
>patching file kernel/sys.c
>Hunk #1 FAILED at 14.
>Hunk #2 FAILED at 212.
>Hunk #3 FAILED at 220.
>Hunk #4 succeeded at 358 (offset 80 lines).
>Hunk #6 succeeded at 519 (offset 80 lines).
>Hunk #7 FAILED at 548.
>Hunk #9 succeeded at 634 (offset 80 lines).
>Hunk #11 succeeded at 679 (offset 80 lines).
>Hunk #13 succeeded at 725 (offset 80 lines).
>Hunk #15 succeeded at 798 (offset 80 lines).
>Hunk #17 succeeded at 830 (offset 80 lines).
>Hunk #18 FAILED at 923.
>Hunk #19 succeeded at 880 (offset 13 lines).
>Hunk #20 FAILED at 908.
>Hunk #21 FAILED at 970.
>Hunk #22 succeeded at 1110 (offset 86 lines).
>Hunk #23 succeeded at 1081 (offset 13 lines).
>Hunk #24 succeeded at 1209 (offset 86 lines).
>Hunk #25 FAILED at 1224.
>Hunk #26 succeeded at 1233 (offset 14 lines).
>8 out of 26 hunks FAILED -- saving rejects to file kernel/sys.c.rej
>patching file kernel/sysctl.c
>Hunk #1 succeeded at 406 (offset 14 lines).
>patching file kernel/time.c
>patching file kernel/uid16.c
>patching file mm/filemap.c
>Hunk #1 succeeded at 24 with fuzz 2 (offset 1 line).
>Hunk #2 succeeded at 1896 (offset 130 lines).
>Hunk #3 succeeded at 1785 (offset 1 line).
>patching file mm/memory.c
>Hunk #1 FAILED at 45.
>1 out of 1 hunk FAILED -- saving rejects to file mm/memory.c.rej
>patching file mm/mmap.c
>Hunk #1 FAILED at 14.
>Hunk #2 succeeded at 480 (offset 1 line).
>1 out of 2 hunks FAILED -- saving rejects to file mm/mmap.c.rej
>patching file mm/mprotect.c
>Hunk #1 FAILED at 7.
>Hunk #2 succeeded at 307 (offset 7 lines).
>1 out of 2 hunks FAILED -- saving rejects to file mm/mprotect.c.rej
>patching file mm/oom_kill.c
>patching file mm/swapfile.c
>Hunk #1 succeeded at 748 (offset 18 lines).
>Hunk #2 succeeded at 917 (offset 2 lines).
>patching file net/core/datagram.c
>patching file net/core/dev.c
>Hunk #2 succeeded at 2617 (offset 37 lines).
>patching file net/core/rtnetlink.c
>patching file net/core/scm.c
>patching file net/core/skbuff.c
>patching file net/core/sock.c
>patching file net/ipv4/devinet.c
>patching file net/ipv4/ip_fragment.c
>patching file net/ipv4/ip_gre.c
>patching file net/ipv4/ip_options.c
>patching file net/ipv4/ip_output.c
>patching file net/ipv4/ipip.c
>patching file net/ipv4/ipmr.c
>patching file net/ipv4/netfilter/ip_queue.c
>patching file net/ipv4/syncookies.c
>patching file net/ipv4/tcp_ipv4.c
>Hunk #1 succeeded at 1309 (offset 10 lines).
>Hunk #3 succeeded at 1770 (offset 10 lines).
>patching file net/ipv4/tcp_minisocks.c
>Hunk #2 succeeded at 790 (offset 5 lines).
>patching file net/netlink/af_netlink.c
>patching file net/socket.c
>Hunk #1 succeeded at 514 (offset 12 lines).
>Hunk #3 succeeded at 847 (offset 14 lines).
>Hunk #5 succeeded at 921 (offset 14 lines).
>Hunk #7 succeeded at 1060 (offset 14 lines).
>Hunk #9 succeeded at 1126 (offset 14 lines).
>Hunk #11 succeeded at 1191 (offset 14 lines).
>Hunk #13 succeeded at 1354 (offset 14 lines).
>Hunk #15 succeeded at 1409 (offset 14 lines).
>patching file net/unix/af_unix.c
>patching file security/Config.in
>patching file security/Makefile
>patching file security/Makefile.in
>patching file security/capability.c
>patching file security/dte/Makefile
>patching file security/dte/Makefile.in
>patching file security/dte/dte.c
>patching file security/dte/dte.h
>patching file security/dte/inode.c
>patching file security/dte/module.c
>patching file security/dte/mount.c
>patching file security/dte/path.c
>patching file security/dte/read_policy.c
>patching file security/dte/syscall.c
>patching file security/dte/task.c
>patching file security/dummy.c
>patching file security/lids/Config.help
>patching file security/lids/Config.in
>patching file security/lids/Makefile
>patching file security/lids/Makefile.in
>patching file security/lids/include/linux/lids.h
>patching file security/lids/include/linux/lidsext.h
>patching file security/lids/include/linux/lidsif.h
>patching file security/lids/include/linux/rmd160.h
>patching file security/lids/klids.c
>patching file security/lids/lids_acl.c
>patching file security/lids/lids_cap.c
>patching file security/lids/lids_check_scan.c
>patching file security/lids/lids_exec.c
>patching file security/lids/lids_init.c
>patching file security/lids/lids_logs.c
>patching file security/lids/lids_lsm.c
>patching file security/lids/lids_mail_script.c
>patching file security/lids/lids_net.c
>patching file security/lids/lids_sysctl.c
>patching file security/lids/lids_syslog_script.c
>patching file security/lids/rmd160.c
>patching file security/owlsm.c
>patching file security/owlsm.h
>patching file security/security.c
>patching file security/selinux/Config.in
>patching file security/selinux/Makefile
>patching file security/selinux/Makefile.in
>patching file security/selinux/arch/i386/Makefile
>patching file security/selinux/arch/i386/wrapper.c
>patching file security/selinux/avc.c
>patching file security/selinux/extsocket.h
>patching file security/selinux/flask/Makefile
>patching file security/selinux/flask/access_vectors
>patching file security/selinux/flask/initial_sids
>patching file security/selinux/flask/mkaccess_vector.sh
>patching file security/selinux/flask/mkflask.sh
>patching file security/selinux/flask/security_classes
>patching file security/selinux/hooks.c
>patching file security/selinux/include/asm-i386/flask/syscallaccess.h
>patching file security/selinux/include/linux/flask/av_inherit.h
>patching file security/selinux/include/linux/flask/av_perm_to_string.h
>patching file security/selinux/include/linux/flask/av_permissions.h
>patching file security/selinux/include/linux/flask/avc.h
>patching file security/selinux/include/linux/flask/avc_ss.h
>patching file security/selinux/include/linux/flask/class_to_string.h
>patching file security/selinux/include/linux/flask/common_perm_to_string.h
>patching file security/selinux/include/linux/flask/flask.h
>patching file security/selinux/include/linux/flask/flask_types.h
>patching file security/selinux/include/linux/flask/flnetlink.h
>patching file security/selinux/include/linux/flask/initial_sid_to_string.h
>patching file security/selinux/include/linux/flask/nsid.h
>patching file security/selinux/include/linux/flask/psid.h
>patching file security/selinux/include/linux/flask/security.h
>patching file security/selinux/include/linux/flask/selopt.h
>patching file security/selinux/include/linux/flask/syscalls.h
>patching file security/selinux/include/linux/flask/syscalls_proto.h
>patching file security/selinux/nsid.c
>patching file security/selinux/psid.c
>patching file security/selinux/selinux_plug.h
>patching file security/selinux/selopt/Makefile
>patching file security/selinux/selopt/cache.c
>patching file security/selinux/selopt/cache.h
>patching file security/selinux/selopt/flnetlink.c
>patching file security/selinux/selopt/perimtab.c
>patching file security/selinux/selopt/perimtab.h
>patching file security/selinux/selopt/queue.c
>patching file security/selinux/selopt/queue.h
>patching file security/selinux/selopt/selopt_core.c
>patching file security/selinux/ss/Makefile
>patching file security/selinux/ss/Makefile.in
>patching file security/selinux/ss/avtab.c
>patching file security/selinux/ss/avtab.h
>patching file security/selinux/ss/constraint.h
>patching file security/selinux/ss/context.h
>patching file security/selinux/ss/ebitmap.c
>patching file security/selinux/ss/ebitmap.h
>patching file security/selinux/ss/global.h
>patching file security/selinux/ss/hashtab.c
>patching file security/selinux/ss/hashtab.h
>patching file security/selinux/ss/mls.c
>patching file security/selinux/ss/mls.h
>patching file security/selinux/ss/mls_types.h
>patching file security/selinux/ss/policydb.c
>patching file security/selinux/ss/policydb.h
>patching file security/selinux/ss/policydb_inflate.c
>patching file security/selinux/ss/queue.c
>patching file security/selinux/ss/queue.h
>patching file security/selinux/ss/services.c
>patching file security/selinux/ss/services.h
>patching file security/selinux/ss/services_private.h
>patching file security/selinux/ss/sidtab.c
>patching file security/selinux/ss/sidtab.h
>patching file security/selinux/ss/symtab.c
>patching file security/selinux/ss/symtab.h
>patching file security/selinux/ss/syscalls.c
>patching file security/selinux/syscalls.c
>bash-2.05b#
>
>Thanks
>king khan
>
>
>
>
>On Wed, 19 Jan 2005 13:17:21 +0530, Syed Ahemed <kingkhan@private> wrote:
>  
>
>>The below mentioned lines  of code is an excerpt from the kernel
>>source after the LSM patch is applied.
>>To try and make the  question precise i have deleted non-lsm lines
>>from the code.
>>
>>1] The /usr/src/linux-2.4/include/security.h  defines the
>>security_operations struct with socket_create field .
>>2] /usr/src/linux-2.4/net/socket.c  has the function sock_create which  calls
>>[ security_ops->socket_create(family, type, protocol); ] to check for
>>extended LSM security of socket creation
>>3] /usr/src/linux-2.4/security/selinux/hooks.c has the LSM
>>implementation of function call
>>selinux_socket_create (int family, int type, int protocol, struct
>>socket **res) .
>>
>>Question 1 :
>>--------------------
>>Everytime a user application tries to create the socket the
>>net/socket.c : sock_create is invoked and this function intern calls
>>the security_ops->socket_create function for LSM check ,  Now where
>>and how  does the selinux_socket_create come into picture .I mean how
>>does it get invoked ?
>>
>>Question 2 :
>>------------------
>>security_ops->socket_create( ) is the hook employed by the LSM framework
>>selinux_socket_create ( ) is the implementation of the security module
>>function
>>Am i right ?
>>If not where is the function code to the hook call made from socket.c ?
>>
>> */usr/src/linux-2.4/include/security.h
>> * @socket_create:
>> *      Check permissions prior to creating a new socket.
>> *      @family contains the requested protocol family.
>> *      @type contains the requested communications type.
>> *      @protocol contains the requested protocol.
>> *      Return 0 if permission is granted.
>> * @socket_post_create:
>> *      This hook allows a module to update or allocate a per-socket security
>> *      structure. Note that the security field was not added directly to the
>> *      socket structure, but rather, the socket security information is stored
>> *      in the associated inode.  Typically, the inode alloc_security hook will
>> *      allocate and and attach security information to
>> *      sock->inode->i_security.  This hook may be used to update the
>> *      sock->inode->i_security field with additional information that wasn't
>> *      available when the inode was allocated.
>> *      @sock contains the newly created socket structure.
>> *      @family contains the requested protocol family.
>> *      @type contains the requested communications type.
>> *      @protocol contains the requested protocol.
>> * @socket_bind:
>>
>>struct security_operations {
>>        int (*socket_create) (int family, int type, int protocol);
>>        void (*socket_post_create) (struct socket * sock, int family,
>>}
>>
>>********************************************************************************************************
>>* /usr/src/linux-2.4/net/socket.c
>>
>>int sock_create(int family, int type, int protocol, struct socket **res)
>>{
>>        int i;
>>        int err;
>>        struct socket *sock;
>>        err = security_ops->socket_create(family, type, protocol);
>>        if (err)
>>                return err;
>>
>>                return i;
>>}
>>********************************************************************************
>>
>>/*  /usr/src/linux-2.4/security/selinux/hooks.c */
>>
>>static int selinux_socket_create(int family, int type, int protocol)
>>{
>>        int err;
>>        struct task_security_struct *tsec;
>>        security_id_t tsid;
>>
>>        tsec = current->security;
>>
>>        tsid = extsocket_create(tsec);
>>
>>        err = avc_has_perm(tsec->sid, tsid,
>>                           socket_type_to_security_class(family, type),
>>                           SOCKET__CREATE);
>>
>>        return err;
>>}
>>*******************************************************************************
>>
>>Thanks
>>KIng Khan
>>
>>
>>On Tue, 18 Jan 2005 15:03:13 -0800, Chris Wright <chrisw@private> wrote:
>>    
>>
>>>* Syed Ahemed (kingkhan@private) wrote:
>>>      
>>>
>>>>Solution 2
>>>>---------------
>>>>a] LSM with SELINUX    :  what it does that LIDS[with/without LSM ] cant  ?
>>>>    Note : I haven't seen a debate LIDS VS SELINUX , maybe they aren't
>>>>alike at all.But we   have a co-existence problem to solve too.
>>>>        
>>>>
>>>For the purpose of your examples, consider LIDS and SELinux to have very
>>>similar properties.
>>>
>>>      
>>>
>>>>b]   Implement my own strncpy or strcpy with better length checking
>>>>        
>>>>
>>>For user-space buffer overflow?  Sure, it's always useful to carefully
>>>audit that kind of code.
>>>
>>>      
>>>
>>>>c] Openwall patch is a part of base kernel will take care of
>>>>executable stack issue
>>>>        
>>>>
>>>Base 2.6 has some support for NX stack.  Also, you can look at
>>>exec-shield in Fedora kernels, or the SSP patch to gcc.
>>>
>>>Stopping the buffer overflow is fundamentally different from limiting
>>>that damage domain.  Point is...there is no single silver bullet.
>>>Best solution is to employ best security practices at each relevant
>>>layer.
>>>
>>>thanks,
>>>-chris
>>>--
>>>Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
>>>
>>>      
>>>
>
>  
>

-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com



This archive was generated by hypermail 2.1.3 : Wed Jan 19 2005 - 00:49:13 PST