On Tue, Sep 02, 2003 at 10:12:25AM -0400, Stephen Smalley wrote: > On Mon, 2003-09-01 at 00:10, Charles Levert wrote: > > I am working on a security module that (kind of) implements traditional > > capabilities (i.e., unforgeable references, not posix-draft capabilities). > > For this, I need a security hook in LSM that allows me to walk the > > directory tree (in the dcache) across mountpoints if necessary, every > > time a file is opened. This means I need more than just a dentry but > > also the vfsmount that goes with it. One way to obtain this is to be > > passed a nameidata. > > Can you elaborate further on how you intend to use this hook, preferably > with a URL to the actual module code? I do not have a web site for the code set up at the moment. Here is what I am trying to do. Let d be a reference directory that is an open file of the current process (i.e., it has a file descriptor assigned to it). Let f be the file that the user is trying to open (or an executable that he's trying to execute) after all symlinks have been traversed. The open is allowed to succeed if f is in the subtree of files specified by d. E.g., d=/a/b f=/a/b/c/d succeeds d=/a/b f=/a/e/f fails For this, I need to be able to walk the tree from f to the root and if I pass by d in doing so, then the open succeeds. What I am doing is actually a bit more complicated, but that's the gist of it. > What if the directory tree is mutated between the link_path_walk > resolution and the call to your security hook? I only take the result, whatever it is. I do not duplicate any of the complexity in link_path_walk. So, I don't care if something has changed in between. > How robust is your mechanism against rearrangement of the namespace, > per-process namespaces, and object aliasing? I'm sorry, you are (mostly) loosing me here. Do you have any references for this stuff (or source files to read). I am aware of per-process namespaces in Plan 9, but not in Linux. Both d and f are specified from the point of view of the same process. The hook is only called at one time during lookup; I don't care if things change after that. > > The way I solved the problem is by adding a new hook to LSM, after having > > tried to do it with the existing set of hooks. However, I would welcome > > suggestions in addressing my problem with the existing set of hooks if > > you think this is possible. > > Any chance you can use the d_instantiate hook for each instantiation > (after initializing the root via post_addmount)? DTE, which also > requires traversal of the directory tree, is able to use it. To be honest, I developed my prototype around 2.4.20-lsm1 where there was no d_instantiate hook. I have taken a look at dte_d_instantiate in 2.5.72-lsm1 and I am having trouble seeing this traversal of the directory tree. Maybe I need to study this code further... Charles _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Sep 02 2003 - 15:55:11 PDT