On Wed, 23 Sep 2009, Tvrtko Ursulin wrote: > Lived with it because there was no other option. We used LSM while it was > available for modules but then it was taken away. > > And not all vendors even use syscall interception, not even across platforms, > of which you sound so sure about. You can't even scan something which is not > in your namespace if you are at the syscall level. And you can't catch things > like kernel nfsd. No, syscall interception is not really appropriate at all. Really? And *if* namespaces were the problem for the devices you were targeting, what prevented you to resolving the object and offering a stream to userspace? In *your* module, hosting at the same time all the other logic required for it (caches, whitelists, etc...), instead of pushing this stuff into the kernel. WRT to the "other" system, never said they were using syscall interception, if you read carefully. I said that minifilters typically sends path names to userspace, which might drive you in the pitfall Andreas was describing. - Davide -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
