[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6
From: |
Michael Grigoriev |
Subject: |
[Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6 |
Date: |
Fri, 14 Nov 2003 23:04:19 -0500 |
User-agent: |
Mutt/1.5.4i |
On Fri, Nov 14, 2003 at 08:49:22PM +0100, John Ogness wrote:
> In 2.4 (and earlier) there was no way that you could implement your own
> file access security module without major patches to the kernel. As a
> result, Dazuko hooks the system call, thus allowing it to have first say
> for file accesses (without requiring kernel patches). Although this
> works, it fits more into the category of "hacking the kernel" rather
> than "securing the kernel".
Agreed.
> With 2.5/2.6, Linux provides an interface for implementing your own file
> access security module. This means that Dazuko will no longer need to
> hook the system calls. Although this makes Dazuko's job easier, it will
> require me (or someone) to appropriately match the Linux 2.6 security
> API to Dazuko. I have seen several examples of this and it looks like
> getting the access information to Dazuko will be the easy part.
Interesting. It does look like the linux security modules provide a lot of
the same hooks Dazuko was trying to get from the system calls. I'll have to
experiment with them.
> However, I have not yet looked at the virtual file system, chroot
> models, and local name lookups for the new kernel. I am a lot more
> worried that these (more complex) pieces have changed considerably. (I
> am assuming they've changed because they changed quite a bit from 2.2 to
> 2.4.)
It's not too bad. With some hacking, I actually ported the most of it to 2.6
and had the entire thing at least compiling before I noticed the
sys_call_table problem. It's getting kind of ugly with 3 levels of ifdefs
though.... I am going to see if there is a better way of handling the
version dependent stuff.
Or maybe you would consider phasing out 2.2 support? I mean is there really
a lot people still using it?
> I will most likely start working on the 2.6 port in December. If you
> subscribe the the dazuko-devel mailing list, we can start tackling this
> issue together.
Sorry, I didn't notice that there was a dazuko-devel list, or I would have
posted to it to begin with.
--
Have fun, I believe that we'll conceive
Michael "mag" Grigoriev To make in hell for us a heaven
address@hidden A brave new world, a promised land
http://www.luminal.org A fortitude of hearts and minds
pgp_PbYfSWQMS.pgp
Description: PGP signature