Re: path_post_lookup

From: Charles Levert (chuckat_private)
Date: Tue Sep 02 2003 - 15:54:31 PDT

  • Next message: dormouseat_private: "Re: Thank you!"

    On Tue, Sep 02, 2003 at 10:12:25AM -0400, Stephen Smalley wrote:
    > On Mon, 2003-09-01 at 00:10, Charles Levert wrote:
    > > I am working on a security module that (kind of) implements traditional
    > > capabilities (i.e., unforgeable references, not posix-draft capabilities).
    > > For this, I need a security hook in LSM that allows me to walk the
    > > directory tree (in the dcache) across mountpoints if necessary, every
    > > time a file is opened.  This means I need more than just a dentry but
    > > also the vfsmount that goes with it.  One way to obtain this is to be
    > > passed a nameidata.
    > Can you elaborate further on how you intend to use this hook, preferably
    > with a URL to the actual module code?
    I do not have a web site for the code set up at the moment.
    Here is what I am trying to do.  Let d be a reference directory that
    is an open file of the current process (i.e., it has a file descriptor
    assigned to it).  Let f be the file that the user is trying to open
    (or an executable that he's trying to execute) after all symlinks have
    been traversed.  The open is allowed to succeed if f is in the subtree
    of files specified by d.  E.g.,
    	d=/a/b	f=/a/b/c/d	succeeds
    	d=/a/b	f=/a/e/f	fails
    For this, I need to be able to walk the tree from f to the root and if
    I pass by d in doing so, then the open succeeds.
    What I am doing is actually a bit more complicated, but that's the gist
    of it.
    > What if the directory tree is mutated between the link_path_walk
    > resolution and the call to your security hook?
    I only take the result, whatever it is.  I do not duplicate any of the
    complexity in link_path_walk.  So, I don't care if something has changed
    in between.
    > How robust is your mechanism against rearrangement of the namespace,
    > per-process namespaces, and object aliasing?
    I'm sorry, you are (mostly) loosing me here.  Do you have any references
    for this stuff (or source files to read).  I am aware of per-process
    namespaces in Plan 9, but not in Linux.
    Both d and f are specified from the point of view of the same process.
    The hook is only called at one time during lookup; I don't care if things
    change after that.
    > > The way I solved the problem is by adding a new hook to LSM, after having
    > > tried to do it with the existing set of hooks.  However, I would welcome
    > > suggestions in addressing my problem with the existing set of hooks if
    > > you think this is possible.
    > Any chance you can use the d_instantiate hook for each instantiation
    > (after initializing the root via post_addmount)?  DTE, which also
    > requires traversal of the directory tree, is able to use it.
    To be honest, I developed my prototype around 2.4.20-lsm1 where there
    was no d_instantiate hook.  I have taken a look at dte_d_instantiate
    in 2.5.72-lsm1 and I am having trouble seeing this traversal of the
    directory tree.  Maybe I need to study this code further...
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Tue Sep 02 2003 - 15:55:11 PDT