On Tue, Oct 02, 2001 at 12:47:06PM -0400, Stephen Smalley wrote: > [get_write_access hook] > Are you sure that you can't achieve the same end via a combination of the > existing inode_security_ops permission and setattr and file_security_ops > permission hooks? As sure as I ever am about anything, yes. :) The kernel will not help us with our race condition (writing to a file being executing, executing a file opened for writing, that whole ball of wax) until the i_writecount parameter is non-zero. The only safe place to change the i_writecount from zero to anything else is in get_write_access. Because I need the kernel's protection of executing files, I don't think I could put the hook anywhere else. > And if you are sure that you need a hook in get_write_access, don't you > think it would be a good idea to also have a hook in put_write_access, as > suggested by Greg? While I don't need the hook, I could see that someone else may want it. I'd be happy to add it, but .. is it really worth adding another hook just for symmetry's sake? (i.e., we found a reason for the get_write_acecss hook; does that mean we should put a hook in put_write_access even though we haven't found a use for it yet?) Thanks Stephen _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 10:55:25 PDT