|| ||Stephen Smalley <stephen.smalley-AT-gmail.com> |
|| ||Casey Schaufler <casey-AT-schaufler-ca.com> |
|| ||Re: [RFC PATCH 1/2] fs/vfs/security: pass last path component to LSM
on inode creation |
|| ||Tue, 7 Dec 2010 12:34:59 -0500|
|| ||Eric Paris <eparis-AT-redhat.com>, penguin-kernel-AT-i-love.sakura.ne.jp,
selinux-AT-tycho.nsa.gov, sds-AT-tycho.nsa.gov, jmorris-AT-namei.org,
|| ||Article, Thread
On Tue, Dec 7, 2010 at 11:56 AM, Casey Schaufler <firstname.lastname@example.org> wrote:
> Let's assume for the moment that no one has a significant objection
> to adding the component name to inode_init_security. I am not
> suggesting that what gets passed to inode_init_security is
> insufficiently general. I am asking if there are other hooks that
> also ought to have the component name as one of their parameters.
> Yes, I understand the concept of "if it ain't broke ...", and that
> may suffice at this point, and if not the fact that no one would be
> using the component name in those other hooks definitely would. I
> expect that when someone comes along with a new LSM that does access
> controls based on the final component* they aren't going to suffer
> unnecessary resistance from the SELinux community as they add the
> component name as a parameter to other hooks.
> * For example, only files suffixed with ".exe" can be executed and
> only files suffixed with ".so" can be mmapped.
I think you can already achieve that via the pathname hooks, but if
not and you want it, go for it.
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to email@example.com
More majordomo info at http://vger.kernel.org/majordomo-info.html
to post comments)