On Thu, 2005-10-27 at 15:08 +0800, Globe Trekker wrote:
> Hi!
>
> I'm implementing a Mandatory Access Control LSM for linux-2.6.12.5.
> I have to use security_inode_permission hook to check the permission of
> the access to a file.
> I use Extended Attribute to store all MAC attributes of files.
> In my mac_inode_permission(), I have to get the MAC attribute of the
> inode, using this:
>
> if ((inode->i_op) && (inode->i_op->getxattr)) {
> error = inode->i_op->getxattr(nd->dentry, POSIX_MAC_XATTR_NAME,
> &mac_xattr, sizeof(posix_mac_xattr));
> }
>
> So, you see, I have to use the nd parameter of the
> security_inode_permission() hook. But sometimes this parameter is NULL.
> For now, my mac_inode_permission() just return success if `nd' is NULL,
> and the MAC mechainism behaves strangely, the MAC control on directories
> just doesn't work.
>
> I tried to get `dentry' from `inode' but found it almost impossible(any
> new idea?). I tried to figure out the situations in which the `nd'
> parameter for security_inode_permission() hook is NULL but found it too
> hard to accomplish.
>
> Any ideas?
Look at how SELinux does it. Get the xattr upon d_instantiate and cache
the security data in the incore inode security field. Then just use
that incore inode security field upon inode_permisison.
More to the point: why not just use SELinux?
--
Stephen Smalley
National Security Agency
This archive was generated by hypermail 2.1.3 : Thu Oct 27 2005 - 12:33:32 PDT