On Thu, 2003-04-24 at 15:47, Chris Wright wrote: > Yes, there was also some mention of the permission issue w.r.t. HSM and > (i vaguely recall) an xattr interface proposed that noted if the request was > internal from the kernel (skip the capable check) or on behalf of user. > If this were carried through, it could suffice, no? You still wouldn't want the security check implemented in the xattr handler (even for calls on behalf of user processes), because it will differ depending on the security module and may require the full contextual information (process and inode). Effectively, you would have to just implement a call from the xattr handler to the security module, and we already have hook calls from the [gs]etxattr system call code to the security module to support such permission checking for user processes. -- Stephen Smalley <sdsat_private> National Security Agency _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Apr 24 2003 - 13:07:49 PDT