On Tue, 25 Sep 2001, richard offer wrote: > I know, and if I could think cleverer I would, the real problem is the > overloading of the flags given to permission() > > MAY_WRITE | MAY_EXEC -> delete > MAY_WRITE | MAY_EXEC -> create > MAY_WRITE -> vfs_rename_dir > MAY_WRITE -> truncate > MAY_WRITE -> utime / utimes > MAY_EXEC -> chdir / fchdir > MAY_EXEC -> chroot > > And of course the normal uses of MAY_EXEC | READ | WRITE For specialized checking on many of these operations, you can use the corresponding hook in inode_security_ops, e.g. the create/mkdir/mknod/symlink hooks, the link hook, the unlink/rmdir hooks, the rename hook, and the setattr hook. I suppose we could add a specialized hook for chdir, but it still isn't clear to me how you intend to use it for access control. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Sep 26 2001 - 05:09:34 PDT