On Wed, 2005-03-30 at 22:03 -0500, John Richard Moser wrote: > To accomplish this task, one of two venues would be taken. The first, > shown below, adds a new hook in the same place: > > error = security_file_mmap(file, prot, flags); > if (error) > return error; > /* Serge's stacking code should AND together each thing we get > * back from each module to produce the most restrictive set > */ > vm_flags &= security_file_mmap_vm_flags(file, prot, flags); As Chris mentioned, the access control approach here is to return an error from the existing hooks for mmap and mprotect if it is an attempt to create/change a mapping to an illegal state. Look at the SELinux checks for mmap and mprotect. -- Stephen Smalley <sds@private> National Security Agency
This archive was generated by hypermail 2.1.3 : Thu Mar 31 2005 - 05:18:55 PST