On Wed, 2008-10-29 at 11:19 -0400, Eric Paris wrote: > On Wed, 2008-10-29 at 10:42 -0400, Stephen Smalley wrote: > > On Wed, 2008-10-29 at 10:34 -0400, Eric Paris wrote: > > > Things like link_path_walk check for MAY_EXEC on directories as it walks path > > > names. The open perms checking was actually checking open on these as well. > > > This patch excludes checking open when the only requested permission on the > > > dir was MAY_EXEC. open and opendir both still require open perms. > > > > Would these issues (both directory search and unix socket) have been > > avoided if you had put the open check in the dentry_open hook instead of > > the inode_permission hook? > > Both are the result of explicit calls to inode_permission so yes, they > would have been avoided. Ok...so, would it make sense to move the open checks to selinux_dentry_open() and thus avoid having to special case the logic? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
