[Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6

dazuko-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6

From:	Michael Grigoriev
Subject:	[Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6
Date:	Fri, 14 Nov 2003 23:04:19 -0500
User-agent:	Mutt/1.5.4i

On Fri, Nov 14, 2003 at 08:49:22PM +0100, John Ogness wrote:
> In 2.4 (and earlier) there was no way that you could implement your own 
> file access security module without major patches to the kernel. As a 
> result, Dazuko hooks the system call, thus allowing it to have first say 
> for file accesses (without requiring kernel patches). Although this 
> works, it fits more into the category of "hacking the kernel" rather 
> than "securing the kernel".

Agreed.
 
> With 2.5/2.6, Linux provides an interface for implementing your own file 
> access security module. This means that Dazuko will no longer need to 
> hook the system calls. Although this makes Dazuko's job easier, it will 
> require me (or someone) to appropriately match the Linux 2.6 security 
> API to Dazuko. I have seen several examples of this and it looks like 
> getting the access information to Dazuko will be the easy part.

Interesting. It does look like the linux security modules provide a lot of
the same hooks Dazuko was trying to get from the system calls. I'll have to
experiment with them.
 
> However, I have not yet looked at the virtual file system, chroot 
> models, and local name lookups for the new kernel. I am a lot more 
> worried that these (more complex) pieces have changed considerably. (I 
> am assuming they've changed because they changed quite a bit from 2.2 to 
> 2.4.)

It's not too bad. With some hacking, I actually ported the most of it to 2.6
and had the entire thing at least compiling before I noticed the
sys_call_table problem. It's getting kind of ugly with 3 levels of ifdefs
though.... I am going to see if there is a better way of handling the
version dependent stuff.

Or maybe you would consider phasing out 2.2 support? I mean is there really
a lot people still using it?
 
> I will most likely start working on the 2.6 port in December. If you 
> subscribe the the dazuko-devel mailing list, we can start tackling this 
> issue together.

Sorry, I didn't notice that there was a dazuko-devel list, or I would have
posted to it to begin with.

-- 
Have fun,                              I believe that we'll conceive
Michael "mag" Grigoriev              To make in hell for us a heaven
address@hidden                   A brave new world, a promised land
http://www.luminal.org               A fortitude of hearts and minds

pgp_PbYfSWQMS.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6, John Ogness, 2003/11/14
- [Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6, Michael Grigoriev <=
  - Re: [Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6, John Ogness, 2003/11/15
    - Re: [Dazuko-devel] Dazuko and Linux 2.6, John Ogness, 2003/11/26

Prev by Date: [Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6
Next by Date: Re: [Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6
Previous by thread: [Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6
Next by thread: Re: [Dazuko-devel] Re: [Dazuko-help] Dazuko and Linux 2.6
Index(es):
- Date
- Thread