--- Stephen Smalley <sds@private> wrote: > I think you misunderstand. Maybe yes, maybe no. > ... > The filesystem code > can't do it directly; at best, it just has to call > into the security > module. And this introduces an extra layer of > indirection that serves > no real purpose. It serves a very real purpose, that being the isolation of the "advanced" security behavior into a module. On a system with integrated support for MAC (UNICOS, for example) there is no indirection required. The whole point of LSM is to allow isolation, and if that requires some hooks in file system code, and I don't personally know a way that I would consider acceptable that doesn't, then that's what you have to do. > IIRC, FreeBSD took a different approach; they have a > separate kernel API > for getting/setting MAC labels than the xattr API > (which is purely a > storage interface), and that MAC label API is > handled directly by the > security framework/modules. Yes. This is a better, more integrated approach. > The security > framework/modules are free to > then call the internal xattr API when the filesystem > type supports > xattrs, but they are also free to just directly > handle the request > themselves, which they would do in the case of > pseudo filesystems where > there is no storage. I'm not proposing that for > Linux, but it does > allow them to unambiguously get the MAC label of an > inode of any > filesystem. If you need the funtionality you ought to consider following the BSD footsteps. > No, because it cannot interpret the security > structures, as they are > specific to the security modules. It has to be > handled via a LSM hook, > regardless of whether that hook is called by the fs > code or by the VFS. Yup. I'm educated now. That's what you have to do. Casey Schaufler casey@schaufler-ca.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 11:44:33 PDT