On Thu, 2005-07-21 at 13:44 -0400, Mimi Zohar wrote: > This is also a problem for SLIM, which creates the new inode integrity > level label based on > the lesser of the integrity level of the parent directory and the current > process. The > integrity level of the parent directory is an extended attribute label, > which is currently > accessible through getxattr() using the dentry->d_parent. Removing the > dentry parameter > would require a corresponding function to set_handle, based on the inode, > to get the > extended integrity level attribute label of the parent. SELinux also computes the new label based on a combination of the security labels of the creating process and the parent directory, but we certainly don't need to call getxattr here to get the parent directory's label. It is already cached (mapped to a SID and then stored in the inode security structure of the parent directory's inode) at this point, due to prior setup upon d_instantiate. You can do likewise for SLIM. -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 07:53:13 PDT