Re: Hooks and stacking

From: Stephen Smalley (sds@private)
Date: Thu Mar 31 2005 - 05:10:34 PST


On Wed, 2005-03-30 at 22:03 -0500, John Richard Moser wrote:
> To accomplish this task, one of two venues would be taken.  The first,
> shown below, adds a new hook in the same place:
> 
>         error = security_file_mmap(file, prot, flags);
>         if (error)
>                 return error;
> 	/* Serge's stacking code should AND together each thing we get
> 	 * back from each module to produce the most restrictive set
> 	 */
> 	vm_flags &= security_file_mmap_vm_flags(file, prot, flags);

As Chris mentioned, the access control approach here is to return an
error from the existing hooks for mmap and mprotect if it is an attempt
to create/change a mapping to an illegal state.  Look at the SELinux
checks for mmap and mprotect.

-- 
Stephen Smalley <sds@private>
National Security Agency



This archive was generated by hypermail 2.1.3 : Thu Mar 31 2005 - 05:18:55 PST