On Thu, Oct 27, 2005 at 03:08:20PM +0800, Globe Trekker wrote: > I tried to get `dentry' from `inode' but found it almost impossible(any > new idea?). I tried to figure out the situations in which the `nd' > parameter for security_inode_permission() hook is NULL but found it too > hard to accomplish. You can find many of the cases where nd is null by using the 'gid' tool from the id-utils package: $ gid permission | grep NULL fs/binfmt_misc.c:153: if (permission(bprm->file->f_dentry->d_inode, MAY_READ, NULL)) fs/exec.c:890: permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) || fs/namei.c:1191: error = permission(dir,MAY_WRITE | MAY_EXEC, NULL); fs/namei.c:2122: error = permission(old_dentry->d_inode, MAY_WRITE, NULL); fs/open.c:561: error = permission(inode, MAY_EXEC, NULL); ipc/mqueue.c:636: if (permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE], NULL)) drivers/block/floppy.c:3772: || permission(filp->f_dentry->d_inode, 2, NULL) == 0) fs/ext2/xattr_user.c:44: error = permission(inode, MAY_READ, NULL); fs/ext2/xattr_user.c:64: error = permission(inode, MAY_WRITE, NULL); fs/ext3/xattr_user.c:46: error = permission(inode, MAY_READ, NULL); fs/ext3/xattr_user.c:66: error = permission(inode, MAY_WRITE, NULL); fs/hpfs/namei.c:418: permission(inode, MAY_WRITE, NULL) || fs/jfs/xattr.c:810: return permission(inode, MAY_WRITE, NULL); fs/jfs/xattr.c:979: return permission(inode, MAY_READ, NULL); fs/ncpfs/ioctl.c:37: if ((permission(inode, MAY_WRITE, NULL) != 0) fs/ncpfs/ioctl.c:65: if ((permission(inode, MAY_WRITE, NULL) != 0) fs/ncpfs/ioctl.c:193: if ((permission(inode, MAY_WRITE, NULL) != 0) fs/ncpfs/ioctl.c:257: if ( (permission(inode, MAY_READ, NULL) != 0) fs/ncpfs/ioctl.c:271: if ( (permission(inode, MAY_READ, NULL) != 0) fs/ncpfs/ioctl.c:346: if ((permission(inode, MAY_WRITE, NULL) != 0) fs/ncpfs/ioctl.c:369: if ( (permission(inode, MAY_READ, NULL) != 0) fs/ncpfs/ioctl.c:382: if ( (permission(inode, MAY_WRITE, NULL) != 0) fs/ncpfs/ioctl.c:403: if ( (permission(inode, MAY_WRITE, NULL) != 0) fs/ncpfs/ioctl.c:608: if ((permission(inode, MAY_WRITE, NULL) != 0) && fs/ncpfs/ioctl.c:638: if ((permission(inode, MAY_READ, NULL) != 0) fs/nfsd/nfsfh.c:59: err = permission(parent->d_inode, MAY_EXEC, NULL); fs/nfsd/vfs.c:1819: err = permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC), NULL); fs/nfsd/vfs.c:1824: err = permission(inode, MAY_EXEC, NULL); fs/udf/file.c:189: if ( permission(inode, MAY_READ, NULL) != 0 ) $ gid exec_permission_lite | grep NULL $ (This won't find any cases where permission or exec_permission_lite is passed an 'nd' parameter from somewhere else that might be NULL -- but if you track down all the uses of permission that don't pass NULL for the final parameter, and iterate this process, you will get all of them.) You're correct that finding the dentry to use from the inode is difficult/impossible -- each inode may have several in-core dentries that validly refer to the file. Is there a way you could attach the xattr to the inode->i_security earlier on, so that you do not need to rely on getting the dentry at security_inode_permission() time?
This archive was generated by hypermail 2.1.3 : Thu Oct 27 2005 - 09:25:08 PDT