Re: Some feedback on the hooks

• Previous message: Greg KH: "No more oops on booting"
• In reply to: Stephen Smalley: "Re: Some feedback on the hooks"
• Next in thread: Chris Wright: "Re: Some feedback on the hooks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 26, 2001 at 02:16:16PM -0400, Stephen Smalley wrote:
> I've attached a patch relative to your latest patch that adjusts
> the existing mount hook and adds some additional hooks for the
> mount-related operations based on the SELinux insertion points.  In
> addition to modifying fs/super.c and include/linux/security.h,
> the patch updates kernel/security.c and kernel/capability_plug.c
> appropriately.  In addition to these changes, I would still
> like to see a security field added, preferably to struct
> super_block, but alternatively to struct vfsmount if you prefer.
> Of course, that will require a security operations vector
> with alloc_security and free_security hooks.

Thanks for the patch.  I added it to the tree.  Very much appreciated.
I'll look into adding a field to either the super_block or the vfsmount.

> On a side note, should the alloc_security and free_security hooks
> be made consistent with the other hooks, i.e. passing a pointer
> to the object and letting the hook set/free the internal security
> field rather than returning/passing the security field itself?
> You already have a case where you must pass the object to the
> alloc_security hook (for linux_binprm), and it seems like
> you might also want the object in inode free_security calls 
> so that you can clear the inode's entry in the persistent
> label mapping.  However, in that case, the inode's free_security
> hook shouldn't be called until just before calling delete in
> iput, so perhaps you want a separate hook for that purpose.

I agree, the consistency isn't there.  I've added the inode parameter to
the alloc_security call.  I'm waffling about passing the whole structure
back for the free call, but I can see how it could be useful (just
requires a bit more work in the module, not a big deal.)  Does anyone
else care either way about this?

Thanks again for the patch,

greg k-h


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: talgat_private: "Re: intercepting system calls"
• Previous message: Greg KH: "No more oops on booting"
• In reply to: Stephen Smalley: "Re: Some feedback on the hooks"
• Next in thread: Chris Wright: "Re: Some feedback on the hooks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 15:33:22 PDT