Re: Documentation for inode security hooks

From: Stephen Smalley (sdsat_private)
Date: Tue Sep 18 2001 - 05:01:36 PDT

  • Next message: Chris Wright: "Re: Documentation for inode security hooks"

    On Mon, 17 Sep 2001, Chris Wright wrote:
    > +	 * Check permission before accessing an inode.  This hook is
    > +	 * called when an inode is opened, is a directory element in a
    > +	 * pathname or is a parent directory for inode creation/deletion,
    > +	 * whereas the file_security_ops hooks are used to mediate access
    >  	 * when the actual read/write operations are performed.
    >  	 * Return 0 if permission is granted.
    >  	 */
    Although this description does capture more of the uses of this hook,
    there are certainly other uses as well, such as checking execute access
    for execve(), checking write access for truncate() and utimes(), checking
    the requested access for access(), checking write access for Unix domain
    socket connect()/sendmsg(), etc.  The permission() function is used fairly
    pervasively, so it seems difficult to capture all of its uses.  The
    important thing is to clearly differentiate the file_security_ops
    permission hook from the inode_security_ops permission hook.
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 05:03:25 PDT