Re: In-kernel Authentication Tokens (PAGs)

From: David Howells
Date: Wed Jun 16 2004 - 09:42:17 EST

Next message: Alex Williamson: "Re: IPMI hangup in 2.6.6-rc3"
Previous message: Chris Friesen: "Re: [Announce] Non Invasive Kernel Monitor for threads/processes"
In reply to: David Howells: "Re: In-kernel Authentication Tokens (PAGs)"
Next in thread: David Howells: "Re: In-kernel Authentication Tokens (PAGs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > I've a sample aklog program (key submission) should you be interested.
>
> I'd be intereseted. BTW, I just took a brief look and had a quick
> question.

Please see attached files.

key_afs.c Rudimentary kAFS filesystem token handling
afsutil.h }
kernel.c } aklog program
aklog.c }

> > + if (bprm->e_uid != current->uid)
> > + suid_keys(current);
> > + exec_keys(current);
> > +
>
> would the security module be expected update/revoke keys if the thing changes
> security domains on exec?

I don't know. Currently this patch replaces the old session keyring in favour
of a new empty one upon SUID exec. I suspect that depends on the policy set by
the administrator.

If you've a better suggestion than what I've done, feel free to make it.

> > task_lock(current);
> > unsafe = unsafe_exec(current);
> > security_bprm_apply_creds(bprm, unsafe);

David

Attachment: key_afs.c
Description: Binary data

Attachment: afsutil.h
Description: Binary data

Attachment: kernel.c
Description: Binary data

Attachment: aklog.c
Description: Binary data

Next message: Alex Williamson: "Re: IPMI hangup in 2.6.6-rc3"
Previous message: Chris Friesen: "Re: [Announce] Non Invasive Kernel Monitor for threads/processes"
In reply to: David Howells: "Re: In-kernel Authentication Tokens (PAGs)"
Next in thread: David Howells: "Re: In-kernel Authentication Tokens (PAGs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]