On Thu, 5 Jul 2001 sarnoldat_private wrote: > On Thu, Jul 05, 2001 at 02:09:30PM -0400, Stephen Smalley wrote: > > Using inodes at runtime seems preferable to us - you want to protect > > data contained in an object, not a pathname. > > I'm not sure this is always the case. While it might make great sense > for user data, there are system configuration files at Well Known > Locations where the data in the file needs to be protected -- at that > location. > > Perhaps some examples: /etc/shadow, /etc/hosts, /vmlinu[xz], /etc/lilo.conf > /etc/hosts.{allow|deny|options}, /etc/ld.so.{conf|cache}, /etc/exports, > /etc/fstab. > > Each of these files is needed at some point or another to remain > unchanged *in its current location*. > > Keeping track of only the inode, if I am not mistaken, would allow for > moving the file to another location and placing another file in the well > known location. (Of course, the other modules will protect the well > known files by protecting the directories containing those files; > however, this model is not SubDomain's model.) Umm, no. As you point out, you can protect the directories containing the files in question. Furthermore, you can implement per-file controls on operations like rename, link, and unlink as well as the directory controls. SELinux does exactly that - you must have appropriate permission to the directory and to the particular file. But let's not go too far on this debate. As I've previously stated, you can support pathname-based modules without needing to reconstruct absolute pathnames on each lookup or file creation operation. In fact, that should be preferable to you from a performance perspective. So the hooks end up being the same anyway. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 13:58:24 PDT