> On Thu, Jul 19, 2001 at 10:15:33PM -0700, Crispin Cowan wrote: > > > > SubDomain does not allow confined programs to call mount or umount. SubDomain's > > threat model is only concerned with confined processes and principals external to > > the machine. Unconfined processes don't matter, because there either shouldn't be > > any, or they are there for a reason and are trusted. > > Ok, so then all SubDomain has to contend with is handling hard links. > > But since I know that SubDomain only allows hard (and soft) links if > they are specifically listed in a process's profile, no unknown links > can be created by a process. > > So the inode that is passed to permission() should only have a dentry > list containing 1 dentry. Reconstruct the path from that dentry, and > bob's your uncle. Not at all. The dentry list is systemwide. if /dev/mouse is a link to /dev/psaux, and the process access /dev/psaux, while another process accesses /dev/mouse, the inode has two entries on it's dentry/d_alias list. Now, again, attach_pathlabel does no better, unless you attach multiple labels to each inode as I've mentioned previously in private. Not pretty. I'm starting to wonder how this was originally implemented... -serge _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 08:46:25 PDT