> > The new inode_init_security hook doesn't receive the dentry information > > that the inode_post_create/mkdir/mknod/symlink LSM hooks receive. This is a > > problem for subdomain because we rely on dentry information. > > The entire point of inode_init_security is to allow security setup > _before_ the new inode is associated with a dentry (and thus accessible > via the dcache to other threads). Otherwise, other threads can access > it before it is properly labeled. > hmm, I wasn't arguing against inode_init_security, I actually like the hook and how it makes inode labeling atomic. > Also, last I looked, SubDomain wasn't using any of the inode post hooks. > Got code? > true subdomain doesn't currently use these hooks, though I have played with them looking into potential uses in the future. I was trying to point out that the inode_init_security hook being proposed as a replacement for the post_create hooks does not receive all the same information, which is a problem for subdomain when/if it tries using the inode_init_security. jj
This archive was generated by hypermail 2.1.3 : Mon Jul 18 2005 - 18:25:30 PDT