Re: Multiple calls to inode_permission

From: Spinka, Kristofer (kspinka@private)
Date: Wed Sep 24 2003 - 16:46:37 PDT

  • Next message: James Carter: "[PATCH] Backport of Process Attribute API for Security Modules"

    I see that nd->flags might offer what I need.  Does anyone 
    have any suggestions as to whether this is the way to go?
    On Wed, 24 Sep 2003 18:26:49 -0400
      "Kristofer Spinka" <kspinka@private> wrote:
    >Hello, I am working a security module that utilizes the 
    >LSM framework.  Thank you for the recent nameidata 
    >patches to inode_permission, this has been very valuable.
    >How do I "hook" the may_open logic point?  If I simply 
    >hook inode_permission, my function will be called for 
    >every dentry from the root to my inode.  Depending on how 
    >the permission check is implemented, when not using per 
    >object tags, this can be terribly inefficient.  Imagine 
    >/usr/local/tmp/my.file.  Instead of one "strcmp", or 
    >whatever, we have to process four!
    >If in fact this is the only behavior, can we discuss 
    >adding an additional hook point, file_open, that will be 
    >called with the same parameters as inode_permission, but 
    >only for the terminal inode/nameidata, not the whole path 
    >along the way?  If there is an existing alternative, 
    >please let me know.
    >Thank you,
    >     /kristofer

    This archive was generated by hypermail 2b30 : Wed Sep 24 2003 - 16:47:25 PDT