From: Karl MacMillan <kmacmillan@mentalrootkit.com>
To: JanuGerman <doublemalam@yahoo.co.uk>
Cc: Stephen Smalley <sds@tycho.nsa.gov>, selinux@tycho.nsa.gov
Subject: Re: Kernel Panics, when start with amendments in SELInux Source Code
Date: Wed, 21 Mar 2007 16:13:15 -0400 [thread overview]
Message-ID: <1174507995.5556.4.camel@localhost.localdomain> (raw)
In-Reply-To: <20070321194738.6924.qmail@web86913.mail.ukl.yahoo.com>
On Wed, 2007-03-21 at 19:47 +0000, JanuGerman wrote:
> Thanks for the reply.
> > What is count used for?
>
> The actuall thing which i am doing at the moment is
> that, whenever a specific "file object" comes in the
> security server for permission decision, say a file
> which contains sensitive data, I want to read that
> file fully, within the security server. The purpose of
> the count variable is two fold. It is actually used in
> memcpy() for copying the file name into a dummy file
> object. Secondly, it is used for reading from the data
> from the file using:
>
> count (testfile ->f_op -> read) (testfile, (char
> _user *) bufp, PAGE_SIZE, &offset)
> ....
>
>From this description it sounds like you want to intercept access to
certain files and present a processed version of that file to processes
accessing it. You may want to explore doing this from userspace.
You can create a file type accessible only by a single domain and run a
process in that domain that provides access to the files through IPC. If
the access needs to be provided without modifying applications you could
LD_PRELOAD a library to intercept the relevant libc calls.
This will likely be more maintainable and simpler to achieve. Looking
for references to assured pipelines can give you some ideas about this
general approach.
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-03-21 20:13 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-19 14:11 The reason why SEPostgreSQL use original userspace AVC KaiGai Kohei
2007-03-21 12:38 ` Stephen Smalley
2007-03-21 14:35 ` Stephen Smalley
2007-03-21 14:54 ` KaiGai Kohei
2007-03-21 14:48 ` KaiGai Kohei
2007-03-21 17:54 ` Kernel Panics, when start with amendments in SELInux Source Code JanuGerman
2007-03-21 18:38 ` Stephen Smalley
2007-03-21 19:47 ` JanuGerman
2007-03-21 20:13 ` Karl MacMillan [this message]
2007-03-21 19:48 ` JanuGerman
2007-03-21 20:01 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1174507995.5556.4.camel@localhost.localdomain \
--to=kmacmillan@mentalrootkit.com \
--cc=doublemalam@yahoo.co.uk \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.