Re: [AppArmor 31/41] Fix __d_path() for lazy unmounts and make it unambiguous; exclude unreachable mount points from /proc/mounts

[Rob Meijer]

On Mon, April 16, 2007 23:57, Alan Cox wrote:
>> > That is a fairly significant and sudden change to the existing
>> > kernel/user interface.
>>
>> Well, this is not meant for 2.6.21. I hope it is possible to change it
>> in
>> early 2.6.22; otherwise if we can't fix mistakes from the past we are
>> pretty
>> doomed.
>
> I don't believe the existing behaviour _IS_ a mistake.
>
>> > This is untrue. The process can get there (via fd passing with another
>> > task)
>>
>> Process can access file descriptors which are unreachable via path name
>> just
>> fine indeed, but those fds still don't have a valid path in the context
>> of
>> that process.
>
> Which while problematic to your name based security is just fine to
> everything else.

The realisation that I feel needs to be made is that fd passing is a
legitimate transfer of authority, and attempting to block the usage of
this authority (or block the transfer of this authority) would be
extremely bad.

One thing however that does need some major attention is the amounth of
and the scope of the authority that is being transfered with directory
file handles.



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/