Re: Updated auth patch for 2.4.12

From: jmjonesat_private
Date: Thu Oct 11 2001 - 12:33:00 PDT

  • Next message: richard offer: "Re: Updated auth patch for 2.4.12" 

    On Thu, Oct 11, 2001 at 11:12:33AM -0700, richard offer wrote:
> @@ -968,8 +966,8 @@
>       up(&dir->i_zombie);
>       if (!error) {
>               inode_dir_notify(dir, DN_CREATE);
> -             security_ops->inode_ops->post_create(dir, dentry, mode);
>       }
> +     security_ops->inode_ops->post_create(error, dir, dentry, mode);
>       return error;
>  }
>

On Thu, 11 Oct 2001, Greg KH wrote:

> These hooks look specifically for audit to me.

Since this hook apparently receives the error, but can't change it,
I don't see how it's authoritative, in this usage.  It does seem to 
be purely informative to the module.  

This seems to lead to the following questions:

1) Is the same hook usable elsewhere in another capacity.  If so, what's
   the capacity and how does this change affect it.
 
2) This is useful for audit, undoubtedly, but how does it advance the 
   function of access restriction?  (NOT a rhetorical question, since 
an answer to this could make it a "relevant change.")

3) It actually, IMHO, might be more useful for access restriction if 
   it actually COULD change the returned ERROR, since it might add the 
ability to refuse for other reasons... but I also know this has been 
decided to be "too dangerous", standing alone, by this project.

4) The change doesn't seem to cost anything.  It provides information 
   to the module which MAY be useful for access restriction purposes
(statistical modeling or some such thing, applied to restriction via
subsequent module interactions) and it BARELY changes the impact on either
the source code or even the object code compiled.  

Is this a "slippery slope" issue? 

Slightly Amazed at This Challenge,
J. Melvin Jones

|>------------------------------------------------------
||  J. MELVIN JONES            jmjonesat_private 
|>------------------------------------------------------
||  Microcomputer Systems Consultant  
||  Software Developer
||  Web Site Design, Hosting, and Administration
||  Network and Systems Administration
|>------------------------------------------------------
||  http://www.jmjones.com/
|>------------------------------------------------------





_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

    This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 12:34:47 PDT