On Thu, 2008-12-04 at 21:00 +0900, Tetsuo Handa wrote: > Hello. > > Stephen Smalley wrote: > > On Wed, 2008-12-03 at 17:56 +0900, Kentaro Takeda wrote: > > > Stephen, Serge, > > > Here is the patch for introducing new security_path_set()/clear() hooks. > > > > > > This patch enables LSM module to remember vfsmount's pathname so that it can > > > calculate absolute pathname in security_inode_*(). Since actual MAC can be > > > performed after DAC, there will not be any noise in auditing and learning > > > features. This patch currently assumes that the vfsmount's pathname is stored in > > > hash table in LSM module. (Should I use stack memory?) > > > > > > Since security_inode_*() are not always called after security_path_set(), > > > security_path_clear() hook is needed to free the remembered pathname. > > > > Your security_path_set()/security_path_clear() pairs look rather similar > > to mnt_want_write()/mnt_drop_write() pairs. What if you were to call > > your hooks from those functions, and then you would only need to add > > further hook calls in the case of read-only and execute/search checks? > > Right. Locations of inserting security_path_set()/security_path_clear() pairs > are subset of mnt_want_write()/mnt_drop_write() pairs. Thus, we can insert > security_path_set()/security_path_clear() pairs into > mnt_want_write()/mnt_drop_write() pairs, if we can tolerate performance > regression. According to our rough measurement, there is about 8 - 22% of > performance regression. But this approach needs minimum modification to the > existing kernel (only two hooks to be inserted). I assume you also need separate hooks to cover the read-only open case? As for your performance, your implementation of mp_* is clearly non-optimal, so I'd expect there is plenty of room for improvement there. <snip> > --- linux-2.6.28-rc7-mm1.orig/fs/namespace.c > +++ linux-2.6.28-rc7-mm1/fs/namespace.c > @@ -254,6 +254,10 @@ int mnt_want_write(struct vfsmount *mnt) > int ret = 0; > struct mnt_writer *cpu_writer; > > +#ifdef CONFIG_SECURITY_PATH > + if (security_path_set(mnt) < 0) > + return -ENOMEM; > +#endif No #ifdef's within the functions, of course. That gets handled by security.h. -- Stephen Smalley National Security Agency -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
