Hi!
I found that d_instantiate() hooks is not called whenever I use `cat' to
read some file or `echo' to write to some file.
# cat /etc/*
# cat /tmp/mactest
# echo "hello world" >> /tmp/mactest
# echo "hello world" > /tmp/mactes
The hook is not called in all the above cases.
Is there any way to surely get the MAC xattr of the inode before
inode_permission() hook is called?
Thanks!
Regards
Hawk Xu
Stephen Smalley wrote:
>On Thu, 2005-10-27 at 15:08 +0800, Globe Trekker wrote:
>
>
>>Hi!
>>
>>I'm implementing a Mandatory Access Control LSM for linux-2.6.12.5.
>>I have to use security_inode_permission hook to check the permission of
>>the access to a file.
>>I use Extended Attribute to store all MAC attributes of files.
>>In my mac_inode_permission(), I have to get the MAC attribute of the
>>inode, using this:
>>
>>if ((inode->i_op) && (inode->i_op->getxattr)) {
>> error = inode->i_op->getxattr(nd->dentry, POSIX_MAC_XATTR_NAME,
>>&mac_xattr, sizeof(posix_mac_xattr));
>>}
>>
>>So, you see, I have to use the nd parameter of the
>>security_inode_permission() hook. But sometimes this parameter is NULL.
>>For now, my mac_inode_permission() just return success if `nd' is NULL,
>>and the MAC mechainism behaves strangely, the MAC control on directories
>>just doesn't work.
>>
>>I tried to get `dentry' from `inode' but found it almost impossible(any
>>new idea?). I tried to figure out the situations in which the `nd'
>>parameter for security_inode_permission() hook is NULL but found it too
>>hard to accomplish.
>>
>>Any ideas?
>>
>>
>
>Look at how SELinux does it. Get the xattr upon d_instantiate and cache
>the security data in the incore inode security field. Then just use
>that incore inode security field upon inode_permisison.
>
This archive was generated by hypermail 2.1.3 : Fri Oct 28 2005 - 19:49:13 PDT