Re: graft_tree/attach_mnt rfc

• Previous message: Chris Wright: "Re: [RFC] No more module_* hooks"
• In reply to: Chris Wright: "Re: graft_tree/attach_mnt rfc"
• Next in thread: Serge E. Hallyn: "Re: graft_tree/attach_mnt rfc"
• Reply: Serge E. Hallyn: "Re: graft_tree/attach_mnt rfc"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message ----- 
From: "Chris Wright" <chrisat_private>
To: "Serge E. Hallyn" <hallyn@mpi-cbg.de>
Cc: <linux-security-moduleat_private>
Sent: Monday, September 30, 2002 8:37 AM
Subject: Re: graft_tree/attach_mnt rfc


> * Serge E. Hallyn (hallyn@mpi-cbg.de) wrote:
> ...
> > Do people feel this is worth doing?
> 
> I do think it is worth doing.  I guess it comes down to which namespace
> operations you (and others) need to mediate and how.  do_kern_mount
> hooks is clearly sufficient for SELinux, and gives each superblock a
> label.  Is attaching a tree to the namespace something that needs to be
> mediated, or simply recorded?
> 

Anyone using a security policy that derives inode security
information from the namespace needs to follow additions and removals
in the namespace, not just references to superblocks.
We do it that way for one.

Mike Wray


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Serge E. Hallyn: "Re: graft_tree/attach_mnt rfc"
• Previous message: Chris Wright: "Re: [RFC] No more module_* hooks"
• In reply to: Chris Wright: "Re: graft_tree/attach_mnt rfc"
• Next in thread: Serge E. Hallyn: "Re: graft_tree/attach_mnt rfc"
• Reply: Serge E. Hallyn: "Re: graft_tree/attach_mnt rfc"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 01:23:39 PDT