On Fri, 21 Jan 2005 21:41:08 +0530, Syed Ahemed said: (I only have 2.6 source trees handy, so the locations may be a bit different in your 2.4 tree) > Question 1 : > -------------------- > Everytime a user application tries to create the socket the > net/socket.c : sock_create is invoked and this function intern calls > the security_ops->socket_create function for LSM check , Now where > and how does the selinux_socket_create come into picture .I mean how > does it get invoked ? Look at security/selinux/hook.c, in function selinux_init. That calls register_security(&selinux_ops). selinux_ops is a structure filled in with pointers to each selinux hook. register_security takes that structure and copies it into security_ops. So (for instance) selinux_ops.socket_create is a pointer to selinux_socket_create(), and once the structure is copied, security_ops->socket_create is also a pointer to selinux_socket_create(), So in net/socket.c, the call to security_socket_create() is inlined to a call to security_ops->socket_create(), which on an SELinux system ends up calling selinux_socket_create(). > Question 2 : > ------------------ > security_ops->socket_create( ) is the hook employed by the LSM framework Strictly speaking, it's a *pointer* to where to find the actual hook code. If you're running SELinux, it points to selinux_socket_create(). If you're running some other LSM, it points to some other code, and if you're either running no LSMs or none of the ones loaded are interested in that call, it points to a 'dummy_socket_create()' in security/dummy.c (which is basically there to prevent an OOPS by chasing an uninitialized pointer..) > selinux_socket_create ( ) is the implementation of the security module > function And if you're running SELinux, that pointer calls that function for the actual hook implementation, which basically calls avc_has_perm() to do the actual work. > Am i right ? Basically...
This archive was generated by hypermail 2.1.3 : Fri Jan 21 2005 - 11:29:47 PST