Multiple calls to inode_permission

From: Kristofer Spinka (kspinka@private)
Date: Wed Sep 24 2003 - 15:26:49 PDT

Next message: Spinka, Kristofer: "Re: Multiple calls to inode_permission"

Previous message: Stephen Smalley: "[RFC][PATCH] Pass nameidata to security_inode_permission hook"
Next in thread: Spinka, Kristofer: "Re: Multiple calls to inode_permission"
Reply: Spinka, Kristofer: "Re: Multiple calls to inode_permission"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, I am working a security module that utilizes the 
LSM framework.  Thank you for the recent nameidata patches 
to inode_permission, this has been very valuable.

How do I "hook" the may_open logic point?  If I simply 
hook inode_permission, my function will be called for 
every dentry from the root to my inode.  Depending on how 
the permission check is implemented, when not using per 
object tags, this can be terribly inefficient.  Imagine 
/usr/local/tmp/my.file.  Instead of one "strcmp", or 
whatever, we have to process four!

If in fact this is the only behavior, can we discuss 
adding an additional hook point, file_open, that will be 
called with the same parameters as inode_permission, but 
only for the terminal inode/nameidata, not the whole path 
along the way?  If there is an existing alternative, 
please let me know.

Thank you,

     /kristofer

Next message: Spinka, Kristofer: "Re: Multiple calls to inode_permission"
Previous message: Stephen Smalley: "[RFC][PATCH] Pass nameidata to security_inode_permission hook"
Next in thread: Spinka, Kristofer: "Re: Multiple calls to inode_permission"
Reply: Spinka, Kristofer: "Re: Multiple calls to inode_permission"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 24 2003 - 15:27:29 PDT