Re: Out of tree module using LSM

From: tvrtko . ursulin
Date: Wed Nov 28 2007 - 13:22:24 EST


linux-kernel-owner@xxxxxxxxxxxxxxx wrote on 28/11/2007 17:39:56:

> On Wed, 28 Nov 2007 16:46:13 +0000
> Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
>
> > On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
> > > Would you like to expound on that, or do you feel your claws
> > > are sharp enough already?
> >
> > Just take a look at code.
> >
>
> The module in question hooks to the syscall table which is not
> acceptable. Including dumpster diving through symbol table to
> find the syscall table since it is no longer exported.

That is not completely true.

As I said in the second part of my original email (that part Christoph
deleted so please read it whole) I would prefer not to discuss all the
ugly things some parts of our code do because they are irrelevant to the
LSM discussion. But I still feel some extra explanation might be needed.

Talpa is modular itself being composed of a set of kernel modules of which
not all are loaded simultaneously. Where possible LSM can be used and _no_
messing with syscall table will take place. Unfortunately where another
LSM user is present that won't work and another solution had to be found.
Also that drags history from 2.4 where that was the only solution.

So as there is no question the current code does some ugly things it is
even more true that we would be even more happy to use an official API.
LSM was that and we were happily using it which we won't be able to do if
it abruptly goes away. Yes it is not a perfect match but until it is
modified to be better, or until something appropriate is designed and
implemented, it would be very nice if it could stay.

--
Tvrtko August Ursulin
Senior Software Engineer, Sophos

Tel: 01235 559933
Web: www.sophos.com
Protecting business against viruses, spyware, spam and policy abuse


Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/