Tony Jones wrote: > The following are a set of patches the goal of which is to pass vfsmounts > through select portions of the VFS layer sufficient to be visible to the LSM > inode operation hooks. I was looking forward to these patches for so long. Chris Wright wrote: > This kind of change (or perhaps > straight to struct path) is definitely > needed from AA. Not only AppArmor, but also TOMOYO Linux needs these patches. TOMOYO Linux is a pathname based access control patch like AppArmor. http://lwn.net/Articles/165132/ I have been asked "Why not use LSM?" and the answer is always "I can't, for VFS helper functions and LSM functions don't receive vfsmount." and I am manually patching locations that call VFS helper functions. But if these Tony's patches are accepted in upstream, TOMOYO Linux would be able to use LSM. I think these patches are also useful for auditing functions, for auditing logs will be able to include absolute pathname instead of partial pathname. I think most people want access logs in the form of pathnames rather than security labels. - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
