Stephen Smalley wrote: > > - Stephen Smalley brought up the issue of duplication of some of the > > hooks. For instance, some code paths call two separate LSM hooks. One > > example of this is the hook at attach_pathlabel and at the inode level. > > Stephen felt that this would be frowned on by the kernel developers. > > For example, vfs_mkdir calls the post_mkdir LSM hook for assigning labels > to newly created directories, and sys_mkdir calls the attach_pathlabel LSM > hook for the same purpose. The problem is that the DTE project wants the > vfsmount, which is only available in the sys_mkdir, in order to > reconstruct the absolute pathname, whereas we are ok with just > the dentry/inode and want to ensure that the assignment occurs > on every directory creation, so we would prefer it to happen in > vfs_mkdir. I'm thinking that we can eliminate the attach_pathlabel > hook calls in these situations, following Doug's suggestion for > modules that use implicit attribute assignments, and that we > can even push down some of the other attach_pathlabel hook calls > to shadow lower-level i_op->lookup calls. I would like to minimize > any hook dependencies on vfsmounts. I'd like to better understand this suggestion. Various modules (DTE, SubDomain) really do need the absolute path of the file being accessed. If there is not a hook that provides that information, then there needs to be a way to reconstruct the info. I'm assuming that "Doug's suggestion" is such a means? Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 16:02:22 PDT