--- Crispin Cowan <crispin@xxxxxxxxxxxxxxxx> wrote: > Stephen Smalley wrote: > >> It is if I have to maintain a special pieces of code for each possible > LSM. > >> One piece for SELinux, one piece for AppArmour, one piece for Smack, one > piece > >> for Casey's security system. That sounds like a pain. It's probably less of a pain if you consider that Casey's security scheme is Smack. > > All your code has to do is invoke a function provided by libselinux. If > > at some later time a liblsm is introduced that provides a common > > front-end to a libselinux, libsmack, ..., then you can use that. But it > > doesn't exist today. But it all just becomes a simple function call > > regardless. > > > libapparmor exists. It only had one API, and now it has 2, but just 2 > versions on the same concept (change_hat and change_profile). > > This is the API for change_hat http://man-wiki.net/index.php/2:change_hat > > What does the corresponding API in SELinux look like? The POSIX mac_set_proc(mac_t label) might work for this interface. Sets the current process MAC attribute, if appropriate. The Smack implementation would be pretty easy: typedef char * mac_t; int mac_set_proc(mac_t label) { int fd; int rc; rc = strlen(label); if (rc > SMACK_MAX_LABEL_LEN) return -1; fd = open("/proc/self/attr/current", O_RDWR); if (fd < 0) return -1; rc = write(fd, label, rc); close(fd); if (rc < 0) return -1; return 0; } Casey Schaufler casey@xxxxxxxxxxxxxxxx -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
