Re: [PATCH] Pass nameidata to security_inode_permission (Was: Re: path_post_lookup)

From: Chris Wright (chriswat_private)
Date: Mon Sep 08 2003 - 13:53:43 PDT

  • Next message: Omen Wild: "Announcement: Enforcer LSM with TCPA integration"

    * Stephen Smalley (sdsat_private) wrote:
    > This patch against 2.6.0-test4 (or 2.6.0-test4-lsm1) adds the optional
    > nameidata parameter to the security_inode_permission hook, and updates
    > SELinux to use the nameidata when it is non-NULL.  The patch removes
    > exec_permission_lite entirely rather than just updating it to pass the
    > nameidata, since there no longer appears to be any reason to keep
    > exec_permission_lite separate from permission (due to prior changes to
    > the dcache locking).
    
    I ran perf tests on removing this call a while back, and discovered that
    removing it generated noticable overhead (not sure if i have the figures
    any longer, but it's easy to recreate).
    
    > I considered updating some of the other inode security hooks in
    > fs/namei.c as well, but found that this would require more extensive
    > changes to update all callers and would change some interfaces that are
    > exported to kernel modules, e.g. vfs_mkdir, vfs_mknod, etc.  Changing
    > these interfaces would also raise the question of whether the underlying
    > inode operations should also be extended to pass the nameidata for these
    > operations.  Hence, I thought it best to defer updating the other inode
    > security hooks to separate patches.  
    
    I've started the full changeover in mid-2.4 timeframe, and I agree, it's
    not happening without proper VFS support for nameidata.
    
    > Comments?
    
    I'm not thrilled by the notion that nd can be null, and requires 3rd arg
    rather than replacing inode.  It is still more useful than just plain
    inode in some cases.  Patch looks fine, should have some perf numbers on
    nuking the permission_lite function.
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Sep 08 2003 - 13:55:35 PDT