> -----Original Message----- > From: Stephen Smalley [mailto:sdsat_private] > Sent: Wednesday, August 29, 2001 10:40 PM > To: Lachlan McIlroy > Cc: linux-security-moduleat_private > Subject: RE: quotactl hook > > > > On Wed, 29 Aug 2001, Lachlan McIlroy wrote: > > > I've incorporated Stephen's suggestions but the superblock > > (sb) is not available until after the quotactl hook so I > > added it to the quota_on hook instead. > > Why can't you move the quotactl hook after the sb is > acquired (See the attached patch, relative to yours)? If you > only provide it in the quota_on hook, we can't perform access > control based on the file system for any of the other quotactl > commands. Thanks. I realised the same problem. Originally I placed the hook before the DAC checks because this was useful for auditing, then we decided to make it authoritative so I moved it to after the DAC checks and added the retval to the hook. Since Greg removed the retval from the hook, the DAC checks can now short-circuit return which is not helpful to us. Moving the quotactl hook after where the sb is obtained means more short-circuits before the hook but this is certainly not the first time we've encountered this problem.... I've attached a patch with sb in the quotactl hook. > > -- > Stephen D. Smalley, NAI Labs > ssmalleyat_private > > > > > --- Lachlan McIlroy Phone: +61 3 9596 4155 Trusted Linux Fax: +61 3 9596 2960 Adacel Technologies Ltd www.adacel.com
This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 17:53:17 PDT