Re: [PATCH 2/5] selinux: adds a private inode operation

From: Stephen Smalley
Date: Mon Nov 22 2004 - 11:35:57 EST

Next message: Hariprasad Nellitheertha: "Re: [PATCH] kdump: Fix for boot problems on SMP"
Previous message: Johannes Stezenbach: "Re: modprobe + request_module() deadlock"
In reply to: Stephen Smalley: "Re: [PATCH 2/5] selinux: adds a private inode operation"
Next in thread: James Morris: "Re: [PATCH 2/5] selinux: adds a private inode operation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2004-11-22 at 08:35, Stephen Smalley wrote:
> Don't we also need to modify inode_has_perm() to skip checking if the
> inode has the kernel SID (as is already done by socket_has_perm) to
> avoid the search checks when the reiserfs code looks up xattrs?
> Otherwise, we'll see access attempts by the process context on
> directories with the kernel SID upon such lookups.

Actually, I think we need a new flag field in the inode_security_struct
to explicitly mark these "private" inodes for SELinux, so that
inode_has_perm() can skip permission checking on them while still
applying checks to any other inodes that may have the kernel SID (e.g.
/proc/pid inodes for kernel threads).

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Hariprasad Nellitheertha: "Re: [PATCH] kdump: Fix for boot problems on SMP"
Previous message: Johannes Stezenbach: "Re: modprobe + request_module() deadlock"
In reply to: Stephen Smalley: "Re: [PATCH 2/5] selinux: adds a private inode operation"
Next in thread: James Morris: "Re: [PATCH 2/5] selinux: adds a private inode operation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]