>From: Serge E. Hallyn <hallynat_private> >Sent: 30 September 2002 09:28 > > > label. Is attaching a tree to the namespace something that needs to be > > > mediated, or simply recorded? > > > > > > > Anyone using a security policy that derives inode security > > information from the namespace needs to follow additions and removals > > in the namespace, not just references to superblocks. > > We do it that way for one. > > He's not asking whether we want record, but whether we are willing > *only* to record, and not mediate. > > If we only record, DTE can no longer say "this fs can't be mounted under > this pathname." But it does make for a far cleaner patch, and I can > still intercept the attach in order to pretend it was mounted elsewhere. > > So, given how much cleaner Chris' patch is, I'd say simply recording is > the better way to go. > > Unless someone else needs to mediate? It looks like you are proposing that it should no longer be possible to veto a loopback mount with an LSM security hook, and that only controls for do_kern_mount() should remain. Like I said, we need to record all namespace operations, but we need to be able to veto a loopback mount too (mediate), so I'd be against that. BTW, in Serge and Chris's patches moving the sb_post_addmount hook from the end of graft_tree() into attach_mount() means that it would be called with the dcache_lock held - whereas before it wasn't. It also means that sb_post_addmount() might be called multiple times on one mount (via copy_tree()). Mike Wray _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 02:51:25 PDT