Re: [PATCH try #3] security: Convert LSM into a static interface
On Sat, 14 Jul 2007 12:37:01 -0400 (EDT) James Morris [EMAIL PROTECTED] wrote: Convert LSM into a static interface allmodconfig broke security/built-in.o: In function `rootplug_bprm_check_security': security/root_plug.c:64: undefined reference to `usb_find_device' security/root_plug.c:70: undefined reference to `usb_put_dev' - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH try #3] security: Convert LSM into a static interface
On Tue, Jul 24, 2007 at 01:02:24AM -0700, Andrew Morton wrote: On Sat, 14 Jul 2007 12:37:01 -0400 (EDT) James Morris [EMAIL PROTECTED] wrote: Convert LSM into a static interface allmodconfig broke security/built-in.o: In function `rootplug_bprm_check_security': security/root_plug.c:64: undefined reference to `usb_find_device' security/root_plug.c:70: undefined reference to `usb_put_dev' That's wierd, who would have disabled the exports of those functions or removed the #include linux/usb.h from this file? thanks, greg k-h - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH try #3] security: Convert LSM into a static interface
On Tue, 24 Jul 2007 01:53:58 -0700 Greg KH [EMAIL PROTECTED] wrote: On Tue, Jul 24, 2007 at 01:02:24AM -0700, Andrew Morton wrote: On Sat, 14 Jul 2007 12:37:01 -0400 (EDT) James Morris [EMAIL PROTECTED] wrote: Convert LSM into a static interface allmodconfig broke security/built-in.o: In function `rootplug_bprm_check_security': security/root_plug.c:64: undefined reference to `usb_find_device' security/root_plug.c:70: undefined reference to `usb_put_dev' That's wierd, who would have disabled the exports of those functions or removed the #include linux/usb.h from this file? root_plug is linked into vmlinux and usb is modular. I did this: --- a/security/Kconfig~security-convert-lsm-into-a-static-interface-fix-2 +++ a/security/Kconfig @@ -82,7 +82,7 @@ config SECURITY_CAPABILITIES config SECURITY_ROOTPLUG bool Root Plug Support - depends on USB SECURITY + depends on USB=y SECURITY help This is a sample LSM module that should only be used as such. It prevents any programs running with egid == 0 if a specific _ I suppose we could do SECURITY_ROOTPLUG=m if USB=m, but I thought the whole point was to disallow modular LSM clients? - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC][PATCH] Version5 - Simplified mandatory access control kernel implementation
Casey Schaufler wrote:
+static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
+{
+ smack_t *ssp = smack_of_shm(shp);
+ int rc;
+
+ if (ssp == NULL)
+ return 0;
+
+ rc = smk_curacc(ssp, MAY_READWRITE);
+ return rc;
+}
No read-only or write-only shm mappings?
Still thinking about it.
I think if you actually want to use this in a guard like policy you are
going to need it (for at least shm and msgq). BTW, you never responded
to my last email about the granularity required to make a high
throughput front channel and a low bandwidth backchannel for guards.
-
To unsubscribe from this list: send the line unsubscribe
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC][PATCH] Version5 - Simplified mandatory access control kernel implementation
--- Joshua Brindle [EMAIL PROTECTED] wrote:
Casey Schaufler wrote:
+static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
+{
+ smack_t *ssp = smack_of_shm(shp);
+ int rc;
+
+ if (ssp == NULL)
+ return 0;
+
+ rc = smk_curacc(ssp, MAY_READWRITE);
+ return rc;
+}
No read-only or write-only shm mappings?
Still thinking about it.
I think if you actually want to use this in a guard like policy you are
going to need it (for at least shm and msgq).
Fair enough. Ok, I'm convinced. On the work queue it goes.
BTW, you never responded
to my last email about the granularity required to make a high
throughput front channel and a low bandwidth backchannel for guards.
That's true. I'd like to wait until I have an answer that makes sense,
and as you've been following the thread you know that I have lots of
things to work out. I haven't forgotten you.
Casey Schaufler
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH try #3] security: Convert LSM into a static interface
On Tue, Jul 24, 2007 at 01:58:46AM -0700, Andrew Morton wrote: On Tue, 24 Jul 2007 01:53:58 -0700 Greg KH [EMAIL PROTECTED] wrote: On Tue, Jul 24, 2007 at 01:02:24AM -0700, Andrew Morton wrote: On Sat, 14 Jul 2007 12:37:01 -0400 (EDT) James Morris [EMAIL PROTECTED] wrote: Convert LSM into a static interface allmodconfig broke security/built-in.o: In function `rootplug_bprm_check_security': security/root_plug.c:64: undefined reference to `usb_find_device' security/root_plug.c:70: undefined reference to `usb_put_dev' That's wierd, who would have disabled the exports of those functions or removed the #include linux/usb.h from this file? root_plug is linked into vmlinux and usb is modular. I did this: --- a/security/Kconfig~security-convert-lsm-into-a-static-interface-fix-2 +++ a/security/Kconfig @@ -82,7 +82,7 @@ config SECURITY_CAPABILITIES config SECURITY_ROOTPLUG bool Root Plug Support - depends on USB SECURITY + depends on USB=y SECURITY help This is a sample LSM module that should only be used as such. It prevents any programs running with egid == 0 if a specific That looks correct to me. thanks, greg k-h - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
