Re: [PATCH 10/29] selinux: implement set acl hook

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 23, 2022 at 10:26:35AM -0400, Paul Moore wrote:
> On Fri, Sep 23, 2022 at 3:57 AM Christian Brauner <brauner@xxxxxxxxxx> wrote:
> > On Fri, Sep 23, 2022 at 08:47:07AM +0200, Christoph Hellwig wrote:
> > > On Thu, Sep 22, 2022 at 01:16:57PM -0400, Paul Moore wrote:
> > > > properly review the changes, but one thing immediately jumped out at
> > > > me when looking at this: why is the LSM hook
> > > > "security_inode_set_acl()" when we are passing a dentry instead of an
> > > > inode?  We don't have a lot of them, but there are
> > > > `security_dentry_*()` LSM hooks in the existing kernel code.
> > >
> > > I'm no LSM expert, but isn't the inode vs dentry for if it is
> > > related to an inode operation or dentry operation, not about that
> > > the first argument is?
> >
> > Indeed. For example ...
> 
> If the goal is for this LSM hook to operate on an inode and not a
> dentry, let's pass it an inode instead.  This should help prevent

I would be ok with that but EVM requires a dentry being passed and as
evm is called from security_inode_set_acl() exactly like it is from
security_inode_setxattr() and similar the hook has to take a dentry.

And I want to minimize - ideally get rid of at some point - separate
calls to security_*() and evm_*() or ima_() in the vfs. So the evm hook
should please stay in there.



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux