Re: [RFC][PATCH] Remove security_inode_post_create/mkdir/symlink/mknod hooks

From: Stephen Smalley (sds@private)
Date: Mon Jul 25 2005 - 07:24:14 PDT


On Thu, 2005-07-21 at 13:44 -0400, Mimi Zohar wrote:
> This is also a problem for SLIM, which creates the new inode integrity
> level label based on
> the lesser of the integrity level of the parent directory and the current
> process.   The
> integrity level of the parent directory is an extended attribute label,
> which is currently
> accessible through getxattr() using the dentry->d_parent.  Removing the
> dentry parameter
> would require a corresponding function to set_handle, based on the inode,
> to get the
> extended integrity level attribute label of the parent.

SELinux also computes the new label based on a combination of the
security labels of the creating process and the parent directory, but we
certainly don't need to call getxattr here to get the parent directory's
label.  It is already cached (mapped to a SID and then stored in the
inode security structure of the parent directory's inode) at this point,
due to prior setup upon d_instantiate.   You can do likewise for SLIM.

-- 
Stephen Smalley
National Security Agency



This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 07:53:13 PDT