Re: soft mode and v1.1.1-pre4 problem (was: Re: rsbac-v1.1.1-pre4 uploaded)


From: Amon Ott <ao@rsbac.org>
Subject: Re: soft mode and v1.1.1-pre4 problem (was: Re: rsbac-v1.1.1-pre4 uploaded)
Date: Tue, 27 Feb 2001 15:44:02 +0100

Next Article (by Subject): Re: soft mode Peter Busser
Previous Article (by Subject): Re: soft mode and v1.1.1-pre4 problem (was: Re: rsbac-v1.1.1-pre4 uploaded) Jörgen Sigvardsson
Top of Thread: soft mode and v1.1.1-pre4 problem (was: Re: rsbac-v1.1.1-pre4 uploaded) Peter Busser
Articles sorted by: [Date] [Author] [Subject]


On Die, 27 Feb 2001 Peter Busser wrote:
> > > > Amon. What about some option in /proc? (like /proc/sys/net/ipv4/ip_forward).
> > > Well, a /proc entry would be ok if it is only present in maintenance mode.
> > 
> > There are no modules for test decisions in maint mode. And the proc entry would
> > of course be access controlled.
> 
> Well, in that case it would be nice when this would be (also) a kernel compile
> option. It's ok if it is access controled, but when the functionality is not
> there, it cannot be activated by accident. This soft mode is mostly useful in
> development environments, not in production environments.

Of course this will be an option, and it will be off in the default config.
 
> I didn't know /proc entries could be access controlled, how does one do that?

Like /proc/rsbac-info/*... Just try reading anything as normal user, and you
will see the denied request in the log.

When you read from (or write to) these special files, the data is generated
on-the-fly by a registered function. The request is done from there. The
function's result code is later returned as result of the read function.

> BTW, the 2.2.18 kernel doesn't compile with v1.1.1-pre4 when REG modules is
> deselected in the kernel configuration. Some symbol is undefined reg...handle
> in a function prototype. Sorry, but I can't give more information right now, I
> forgot to write the error message down... <shame> <shame>

Already fixed in my tree. rsbac/help/syscalls.c needs rsbac/reg.h included.
 
> I think it's some symbol leakage that shouldn't occur when REG modules support
> is deselected.

Only a conditional include from another include file - the REG syscall must
always be there to avoid breaking programs.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): Re: soft mode Peter Busser
Previous Article (by Subject): Re: soft mode and v1.1.1-pre4 problem (was: Re: rsbac-v1.1.1-pre4 uploaded) Jörgen Sigvardsson
Top of Thread: soft mode and v1.1.1-pre4 problem (was: Re: rsbac-v1.1.1-pre4 uploaded) Peter Busser
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.