From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Eric Paris <eparis@parisplace.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
"Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
James Morris <jmorris@namei.org>
Subject: Re: [PATCH 0/2] ima: policy search speedup
Date: Tue, 11 Dec 2012 14:07:22 -0500 [thread overview]
Message-ID: <1355252842.2356.137.camel@falcor> (raw)
In-Reply-To: <CACLa4pt698L4+BFSErV_rrmosmU-ELYZcmSBR8JqtYBTN35z9g@mail.gmail.com>
On Tue, 2012-12-11 at 13:09 -0500, Eric Paris wrote:
> On Tue, Dec 11, 2012 at 12:55 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>
> > And your "pseudo-filesystems" argument is pretty stupid too, since WE
> > ALREADY HAVE A FLAG FOR THAT!
> >
> > Guess where it is? Oh, it's in the place I already mentioned makes
> > more sense. Look for S_PRIVATE in inode->i_flags, and IS_PRIVATE() in
> > users. It's what the other security models already use to avoid
> > bothering calling down to the security layers. The fact that the
> > integrity layer bypasses the normal security layer in
> > ima_file_check(), for example, is no excuse to then make up totally
> > new flags.
>
> IS_PRIVATE() is not used by and darn well better not be used by, all
> psuedo filesystems like procfs which IMA may want to ignore. LSMs
> like to do control on them. I thought S_PRIVATE was really only used
> by the anon_inode and reiserfs's really crazy ass internal inodes. I
> could always be wrong.
I was actually wondering about the MS_NOSEC flag. It's currently being
used by fuse, gfs2, ocfs2 and tmpfs. (Not sure about xfs.) Can someone
explain what it is being used for?
thanks,
Mimi
next prev parent reply other threads:[~2012-12-11 19:07 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-22 21:54 [PATCH 0/2] ima: policy search speedup Dmitry Kasatkin
2012-11-22 21:54 ` [PATCH 1/2] vfs: new super block feature flags attribute Dmitry Kasatkin
2012-11-22 21:54 ` [PATCH 2/2] ima: skip policy search for never appraised or measured files Dmitry Kasatkin
2012-11-27 13:42 ` [PATCH 0/2] ima: policy search speedup Kasatkin, Dmitry
2012-12-11 12:51 ` Kasatkin, Dmitry
2012-12-11 14:08 ` Mimi Zohar
2012-12-11 16:59 ` Linus Torvalds
2012-12-11 17:40 ` Kasatkin, Dmitry
2012-12-11 17:55 ` Linus Torvalds
2012-12-11 18:09 ` Eric Paris
2012-12-11 18:35 ` Kasatkin, Dmitry
2012-12-11 19:07 ` Mimi Zohar [this message]
2012-12-11 22:16 ` Dave Chinner
2012-12-11 18:10 ` Kasatkin, Dmitry
2012-12-11 18:29 ` Al Viro
2012-12-11 18:12 ` Kasatkin, Dmitry
2012-12-11 18:35 ` Linus Torvalds
2012-12-11 18:53 ` Kasatkin, Dmitry
2012-12-11 18:18 ` Mimi Zohar
2012-12-11 18:35 ` Eric Paris
2012-12-11 18:59 ` Mimi Zohar
2012-12-11 19:10 ` Linus Torvalds
2012-12-11 19:48 ` Mimi Zohar
2012-12-11 20:05 ` Linus Torvalds
2012-12-11 20:15 ` Eric Paris
2012-12-11 20:31 ` Linus Torvalds
2012-12-11 20:08 ` Eric Paris
2012-12-11 22:57 ` Kasatkin, Dmitry
2012-12-11 23:02 ` Eric Paris
2012-12-12 13:56 ` Kasatkin, Dmitry
2012-12-12 14:25 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1355252842.2356.137.camel@falcor \
--to=zohar@linux.vnet.ibm.com \
--cc=dmitry.kasatkin@intel.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).