Sorry if this question is dumb.
SELinux is included in 2.6. But I think it works by putting LSM hooks a lot
of place in Linux and then it can define its own policy enforcement codes.
However, I cannot find hooks in kernel 2.6.9 and 2.6.11. How can
SELinux work with kernel 2.6 to protect system without hooks?
Thanks in advance for your help!
Xin
On Thu, 2005-09-08 at 02:46 -0400, Xin Zhao wrote:
> Sorry if this question is dumb.
>
> SELinux is included in 2.6. But I think it works by putting LSM hooks a lot
> of place in Linux and then it can define its own policy enforcement codes.
>
> However, I cannot find hooks in kernel 2.6.9 and 2.6.11. How can
> SELinux work with kernel 2.6 to protect system without hooks?
>
> Thanks in advance for your help!
The hooks are there, but possibly you are confused by the out-of-date
documentation (e.g. Documentation/DocBook/lsm.tmpl still says to look
for "security_ops->" in the core kernel for the hook calls, but they
have long since been replaced with calls to static inline functions
defined in include/linux/security.h). As an example,
fs/namei.c:permission calls security_inode_permission, which is defined
in include/linux/security.h and will invoke the corresponding hook if
CONFIG_SECURITY=y. SELinux provides its implementations of the hook
functions in security/selinux/hooks.c, e.g. selinux_inode_permission.
Hence, you should be looking for calls to functions with the security_
prefix instead of explicit references to security_ops in the core
kernel.
Chris - feel free to rip out lsm.tmpl and replace it with something more
up-to-date and complete.
--
Stephen Smalley
National Security Agency