Re: [RFC][PATCH] security/selinux: Simplify proc inode to security label mapping.

From: Eric W. Biederman
Date: Sun Nov 22 2009 - 21:42:19 EST

Next message: indexer: "Re: [Bug 14658] Regression in efi.c"
Previous message: Andrew Morton: "Re: [PATCH] genksyms: properly considerEXPORT_UNUSED_SYMBOL{,_GPL}()"
In reply to: Tetsuo Handa: "Re: [RFC][PATCH] security/selinux: Simplify proc inode to securitylabel mapping."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James Morris <jmorris@xxxxxxxxx> writes:

> On Fri, 20 Nov 2009, Eric W. Biederman wrote:
>
>>
>> Currently selinux has incestuous knowledge of the implementation details
>> of procfs and sysctl that it uses to get a pathname from an inode. As it
>> happens the point we care is in the security_d_instantiate lsm hook so
>> we have a valid dentry that we can use to get the entire pathname on
>> the proc filesystem. With the recent change to sys_sysctl to go through
>> proc/sys all proc and sysctl accesses go through the vfs, which
>> means we no longer need a sysctl special case.
>
> I need to investigate this further, but one immediate issue is that
> Tomoyo seems to have similar code.

The Tomoyo code is currently gone in the sysctl tree (and thus in
linux-next), that change was part of what got me thinking about changing
selinux as well.

If we can remove the selinux special case as well then we can actually
remove the sysctl hook from the lsm.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: indexer: "Re: [Bug 14658] Regression in efi.c"
Previous message: Andrew Morton: "Re: [PATCH] genksyms: properly considerEXPORT_UNUSED_SYMBOL{,_GPL}()"
In reply to: Tetsuo Handa: "Re: [RFC][PATCH] security/selinux: Simplify proc inode to securitylabel mapping."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]