On Wed, 2008-01-09 at 08:40 -0800, Andrew Morgan wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Attached is a quick RFC patch for modifying the way the LSM's handle > prctl() checks. Currently, the only thing LSMs can do with prctl() calls > is add more restrictions to their use than the default kernel. > > What this patch does is make it possible for an LSM to fake a successful > prctl() call, and also support LSM-specific prctl()s; ones that are only > supported when the particular LSM is loaded. > > Please comment
There was originally a sys_security syscall that could be used by security modules, but hch insisted on its removal because of its potential for abuse (this was back during 2.5 when LSM was first merged). I'm not sure revectoring prctl is going to fair much better on lkml. That's why we have /proc/pid/attr, the xattr vfs fallbacks to security modules, and securityfs and friends as APIs for security modules instead of their own custom calls. > > Thanks > > Andrew > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHhPjP+bHCR3gb8jsRAsYQAJ9hA/SvYNDi1F4ARGH/HGcXEamJEwCglJX6 > KjTVxS0qlTd5LGWY2yt9ulY= > =/bv4 > -----END PGP SIGNATURE----- -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
