LSM stacker update

From: Serge E. Hallyn (serue@private)
Date: Mon Jan 31 2005 - 08:13:56 PST

Previous message: Lorenzo Hernández García-Hierro: "[ANNOUNCEMENT] vSecurity 0.1-cvs available publicly"
Next in thread: Stephen Smalley: "Re: LSM stacker update"
Reply: Stephen Smalley: "Re: LSM stacker update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

A new version of the stacking code is on www.sf.net/projects/lsm-stacker.
The base-patches package is gone, since those patches are now upstream.
The code now consists of:

	lsm-chain.patch: replaces void *security with listhead, and
		provides the interface for their shared usage.
		Basically unchanged.

	seclvl.patch: Stacker support for BSD secure levels.  Unchanged
		from previous versions.

	selinux.patch: Stacker support for SELinux.  Now also removes
		the secondary_ops support

	stacker.patch: Main change is that, since mod_reg_security()
		actually calls verify(ops), all ops->hooks which were
		not defined will be pointing to the dummy hooks, so
		there is no reason to check
			if (m)
				m->hook();
		so stacker now just calls m->hook().  This might provide
		some performance improvement, particularly if the
		m->hook call was on the path requiring the jump.  (I
		haven't checked that).

	stack-capabilities-with-selinux.patch: A new patch which
		implements changes needed to enable explicit stacking of
		capabilities and SELinux.  I would particularly appreciate
		feedback on these:

		1. Introduces noop versions of setxattr, removexattr,
		vm_enough_memory, netlink_send, and netlink_recv.
		Unlike the dummy versions, these truly do nothing.

		2. Introduces cap-stack.c.  This is a version of
		capabilities which uses the above noop functions.
		Simply not defining them would result in usage of the
		dummy versions, which would still interfere with
		selinux.  Netlink_recv actually does not interfere, but
		merely repeats the same check as selinux, and is
		therefore a waste of time.

		3. Only the first module's vm_enough_memory hook is
		called.  If no modules are loaded, the dummy version is
		called.  This is to ensure adequate (but no duplicate)
		updating of memory statistics.  In particular, duplicate
		calls to vm_acct_memory(pages) would be bad.

		4. So long as no module rejects permission for
		netlink_send, stacker sets the socket capabilities to
		the intersection of all the results returned by all
		modules.

thanks,
-serge

Previous message: Lorenzo Hernández García-Hierro: "[ANNOUNCEMENT] vSecurity 0.1-cvs available publicly"
Next in thread: Stephen Smalley: "Re: LSM stacker update"
Reply: Stephen Smalley: "Re: LSM stacker update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jan 31 2005 - 08:14:46 PST