On 22/12/2016 00:33, Casey Schaufler wrote: > On 12/21/2016 3:15 PM, Mickaël Salaün wrote: >> Add a new LSM hook named inode_touch_atime which is needed to deny >> indirect update of extended file attributes (i.e. access time) which are >> not catched by the inode_setattr hook. By creating a new hook instead of >> calling inode_setattr, we avoid to simulate a useless struct iattr. >> >> This hook allows to create read-only environments as with read-only >> mount points. It can also take care of anonymous inodes. > > What security module would use this? SELinux should be interested. This is useful to create sandboxes so other LSM may be interested too I'm working on a new LSM and I would like this kind of hook to create a real read-only environment. Regards, Mickaël
Attachment:
signature.asc
Description: OpenPGP digital signature
