Re: [PATCH] New sys_chmod() hook for the LSM framework

From: Chris Wright (chrisw@private)
Date: Tue Feb 08 2005 - 16:15:30 PST

Previous message: Lorenzo Hernández García-Hierro: "Re: [PATCH] New sys_chmod() hook for the LSM framework"
In reply to: Lorenzo Hernández García-Hierro: "[PATCH] New sys_chmod() hook for the LSM framework"
Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] New sys_chmod() hook for the LSM framework"
Reply: Lorenzo Hernández García-Hierro: "Re: [PATCH] New sys_chmod() hook for the LSM framework"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

* Lorenzo Hernández García-Hierro (lorenzo@private) wrote:
> As commented yesterday, I was going to release a few more hooks for some
> *critical* syscalls, this one adds a hook to sys_chmod(), and makes us
> able to apply checks and logics before releasing the operation to
> sys_chmod().

This is exactly the kind of hook we've tried to avoid.  This is really
asking for permission to alter inode attribute data.  This type of
hook is incomplete because there are other ways to alter this data,
and this access is already controlled by the inode_setattr hook (as
Tony mentioned).  So this is a no go.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

Previous message: Lorenzo Hernández García-Hierro: "Re: [PATCH] New sys_chmod() hook for the LSM framework"
In reply to: Lorenzo Hernández García-Hierro: "[PATCH] New sys_chmod() hook for the LSM framework"
Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] New sys_chmod() hook for the LSM framework"
Reply: Lorenzo Hernández García-Hierro: "Re: [PATCH] New sys_chmod() hook for the LSM framework"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue Feb 08 2005 - 16:16:02 PST