|
|
|
Re: [PATCH] fs/vfs/security: pass last path component to LSM on inode creation | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
On Thu, 2010-12-09 at 12:48 -0500, John Stoffel wrote: > >>>>> "Eric" == Eric Paris <eparis@xxxxxxxxxx> writes: > > Eric> On Thu, 2010-12-09 at 10:05 -0500, John Stoffel wrote: > >> >>>>> "Eric" == Eric Paris <eparis@xxxxxxxxxx> writes: > > Eric> This patch adds a 4th piece of information, the name of the > Eric> object being created. An obvious situation where this will be > Eric> useful is devtmpfs (although you'll find other examples in the > Eric> above thread). devtmpfs when it creates char/block devices is > Eric> unable to distinguish between kmem and console and so they are > Eric> created with a generic label. hotplug/udev is then called which > Eric> does some pathname like matching and relabels them to something > Eric> more specific. We've found that many people are able to race > Eric> against this particular updating and get spurious denials in > Eric> /dev. With this patch devtmpfs will be able to get the labels > Eric> correct to begin with. > > So your Label based access controls are *also* based on pathnames? > Right? Access decisions are still based solely on the label. This patch can influence how new objects get their label, which makes the access decisions indirectly path based. You'll find a reasonable summary and commentary on lwn in this weeks security section. -- To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux BTRFS] [Linux NFS] [Linux Filesystems] [Ext4 Filesystem] [Kernel Newbies] [Share Photos] [Security] [Netfilter] [Bugtraq] [Photo] [Yosemite] [Yosemite Forum] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper] [Linux Resources]
|