On Thursday, September 24, 2015 02:01:33 PM Stephen Smalley wrote: > If we want the same for MAC, I guess we either need kdbus_node to hold a > ref to a cred (and then we can pass ep->node->cred to the hooks), or > just add our own security field to kdbus_node. The former seems cleaner > to me; we can then just take an additional reference to the bus or > endpoint creator's cred at creation time. Agreed. > And then we need kdbusfs to call a new hook on the inode and the cred in > order to set the inode->i_security to something appropriate for the bus or > endpoint creator. Otherwise, we don't get any control over the ability to > open any given endpoint or bus in kdbusfs, as that is only subject to the > inode permission checks. I'll work on something and send out an updated patchset. -- paul moore security @ redhat _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
