Re: path_post_lookup

From: Stephen Smalley (sdsat_private)
Date: Tue Sep 02 2003 - 07:12:25 PDT

  • Next message: peterat_private: "Re: Thank you!"

    On Mon, 2003-09-01 at 00:10, Charles Levert wrote:
    > I am working on a security module that (kind of) implements traditional
    > capabilities (i.e., unforgeable references, not posix-draft capabilities).
    > For this, I need a security hook in LSM that allows me to walk the
    > directory tree (in the dcache) across mountpoints if necessary, every
    > time a file is opened.  This means I need more than just a dentry but
    > also the vfsmount that goes with it.  One way to obtain this is to be
    > passed a nameidata.
    Can you elaborate further on how you intend to use this hook, preferably
    with a URL to the actual module code?
    What if the directory tree is mutated between the link_path_walk
    resolution and the call to your security hook?
    How robust is your mechanism against rearrangement of the namespace,
    per-process namespaces, and object aliasing?
    > The way I solved the problem is by adding a new hook to LSM, after having
    > tried to do it with the existing set of hooks.  However, I would welcome
    > suggestions in addressing my problem with the existing set of hooks if
    > you think this is possible.
    Any chance you can use the d_instantiate hook for each instantiation
    (after initializing the root via post_addmount)?  DTE, which also
    requires traversal of the directory tree, is able to use it.
    > The patch below is relative to linux-2.6.0-test4.  I also have a patch for
    > linux-2.4.20-lsm1 that I will send if this one is accepted.  Note that
    > the patch sends two parameters through the hook; for the record, I do
    > not use or need the name parameter; I just figured the hook is here and
    > the name string is available, so why the heck not?  I am also open on
    > the way I named the hook; maybe the "_post" part isn't needed.
    Based on prior feedback on the kernel mailing list, I'd recommend
    dropping parameters that have no specific justification, especially when
    they might encourage unsafe logic in security modules.
    Stephen Smalley <sdsat_private>
    National Security Agency
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Tue Sep 02 2003 - 07:13:44 PDT