Re: [PATCH 0/2] ima: policy search speedup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Dec 11, 2012 at 7:55 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Tue, Dec 11, 2012 at 9:40 AM, Kasatkin, Dmitry
> <dmitry.kasatkin@xxxxxxxxx> wrote:
>>>
>>> Quite frankly, this seems stupid.
>>
>> What exactly seems stupid here?
>
> What I said. Go back and read it. I gave three reasons. Why do you ask?
>
> I'll give one more reason, but you probably won't read *this* email
> either, will you?
>
>> There are different filesystems which are not checked by IMA/EVM,
>> such as pseudo-filesystems.
>
> Did you read my email?
>
> There are probably *also* individual that aren't checked by IMA/EVM
> even on filesystems that *do* check other files.
>
> No?
>
> And your "pseudo-filesystems" argument is pretty stupid too, since WE
> ALREADY HAVE A FLAG FOR THAT!
>
> Guess where it is? Oh, it's in the place I already mentioned makes
> more sense. Look for S_PRIVATE in inode->i_flags, and IS_PRIVATE() in
> users. It's what the other security models already use to avoid
> bothering calling down to the security layers. The fact that the
> integrity layer bypasses the normal security layer in
> ima_file_check(), for example, is no excuse to then make up totally
> new flags.

Actually S_PRIVATE does not work work for normal filesystems which IMA
might want to ignore.

>
> So let me repeat: adding a new superblock flag seems STUPID. Why is it
> in a completely different place than all the other flags that we
> already have for these kinds of things? Why should we add a new field,
> when we have existing fields that seem to do exactly this, do it
> better, and are already used?
>
> And don't ask me why without reading this email. OK?
>
>                  Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux