* frm chrisat_private "09/25/01 15:40:46 -0700" | sed '1,$s/^/* /' * ** richard offer (offerat_private) wrote: *> *> *> Has anyone any ideas on how to tell the difference between walking the *> path (which calls permission(MAY_EXEC)) and chdir (which calls *> permission(MAY_EXEC)) ? Generating bogus chdir events for every path walk *> seems sub-optimal. * * hmm, the chdir case doesn't really seem any different to me than the * path walk case ;-) path_walk is "transient", it doesn't affect any subsequent decisions. chdir affects all subsequent (relative) file accesses. * *> I was thinking about proposing a new hook in set_fs_pwd and friends, but *> my proposals haven't met with much success :-) * * set_fs_[pwd,root,altroot] do fall within the scope of the current * hooking paradigm as task_ops hooks, but i sure don't like imposing a * double check in the code path like that. I know, and if I could think cleverer I would, the real problem is the overloading of the flags given to permission() MAY_EXEC -> path walk MAY_WRITE | MAY_EXEC -> delete MAY_WRITE | MAY_EXEC -> create MAY_APPEND -> optionally or'ed with flags in open_namei MAY_WRITE -> vfs_rename_dir MAY_WRITE -> truncate MAY_WRITE -> utime / utimes MAY_EXEC -> chdir / fchdir MAY_EXEC -> chroot And of course the normal uses of MAY_EXEC | READ | WRITE * * -chris * richard. ----------------------------------------------------------------------- Richard Offer Technical Lead, Trust Technology, SGI "Specialization is for insects" _______________________________________________________________________ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 16:31:36 PDT