-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
| On Wed, 2004-12-01 at 18:32, Jeffrey Mahoney wrote:
|
|>I took some more time to find a more optimal solution. Since ReiserFS is
|>currently the only filesystem that cares about this, it's far easier
to keep
|>the whole mess internal to ReiserFS. The issue isn't about the treating of
|>"private" files in reiserfs, but rather just to avoid the looping of xattr
|>calls that selinux would create.
|
|
| No.  It is also about avoiding applying permission checks to these
| "private" inodes when reiserfs performs operations on them, e.g. when
| __get_xa_root() does a lookup_one_len(), there is ultimately a call to
| permission(inode, MAY_EXEC, nd), which triggers a security hook call,
| and SELinux will view this as an attempt by the current process to
| access the private directory.  Simply disabling getxattr/setxattr for
| the private inodes won't change this, and you can't assume that most
| processes have permission to access the default file context (in fact,
| in a strict policy, that won't be the case).
|
| Chris' suggestion of exporting this private flag via i_flags and having
| the VFS and/or security framework skip the security hook calls for such
| inodes is more reasonable, and should yield the same behavior as that
| current patchset (just without the extra security hook and the
| filesystem and SELinux-specific private flags).


Ok, well I have a test version of this up and running. It's ugly, but I
don't think any solution to this problem will be pretty. It just hooks
into include/linux/security.h so that all the individual callers don't
need to be special cased.

However, selinux itself accesses inode lists internally that circumvent
this. I believe I caught the major case that causes this, but I'd prefer
someone with more intimate knowledge of selinux verify.

Attached are four patches:
01-vfs-private-flag.diff
~  - adds the S_PRIVATE flag and adds use to security
02-vfs-private-selinux.diff
~  -internal inode loop needs IS_PRIVATE test
03-reiserfs-priv-abstract.diff
~  - private inode abstracted to static inline
04-vfs-private-reiserfs.diff
~  - change reiserfs to use S_PRIVATE

- -Jeff

- --
Jeff Mahoney
SuSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBtgsPLPWxlyuTD7IRAm3PAJ9K5lOebus6pY/nkpVQabv9AlXOKwCbBXZw
P94N38RrkdOGuWs19Erbj7I=
=VpuN
-----END PGP SIGNATURE-----