From: Casey Schaufler <casey@schaufler-ca.com>
To: Dave Quigley <dpquigl@tycho.nsa.gov>, casey@schaufler-ca.com
Cc: Christoph Hellwig <hch@lst.de>,
chrisw@sous-sol.org, sds@tycho.nsa.gov, jmorris@namei.org,
viro@zeniv.linux.org.uk, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 1/2] VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx.
Date: Fri, 7 Mar 2008 10:14:15 -0800 (PST) [thread overview]
Message-ID: <520476.89184.qm@web36601.mail.mud.yahoo.com> (raw)
In-Reply-To: <1204911451.14520.292.camel@moss-terrapins.epoch.ncsc.mil>
--- Dave Quigley <dpquigl@tycho.nsa.gov> wrote:
> For some odd reason I can't quite parse the first two parts
Let me try a different angle on the question. Maybe it just
doesn't come up as a real issue, and I'm concerned about nothing.
Just for grins lets say I wanted to set the secctx on a directory
in a derivative of ramfs in some unspecified way that is not
related to mkdir. There are no on-disk inodes. Should the code call
inode_setsecctx, inode_notifysecctx, or both? It seems rational to
me to call inode_setsecctx, but since the differentiation between
the interfaces is the "on disk" factor and ramfs only exists as
in core, it would seem that inode_notifysecctx would be correct.
Like I say, maybe it never comes up, but having these two very
similar interfaces (or the old flag) begs the question of when
to use each for things other than their original purpose. I think
we'll live in a better LSM if it's clear.
> of your
> email but to answer your question about it being an NFS only hook. As of
> right now the only user is going to be NFS however any remote filesystem
> (labeled CIFS anyone?) will potentially have this problem. Also even
> though we don't have one today if there ever were an LSM that used
> multiple xattrs for their security attributes this is a useful interface
> to them. So there are many uses for this hook but currently the only one
> is NFS.
Ok then, no worries.
Thank you
Casey Schaufler
casey@schaufler-ca.com
next prev parent reply other threads:[~2008-03-07 18:14 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-05 18:54 [RFC]Introduce generalized hooks for getting and setting inode secctx David P. Quigley
2008-03-05 18:54 ` [PATCH 1/2] VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx David P. Quigley
2008-03-06 12:27 ` Christoph Hellwig
[not found] ` <20080306122703.GA4648-jcswGhMUV9g@public.gmane.org>
2008-03-06 16:47 ` Dave Quigley
2008-03-07 10:05 ` Christoph Hellwig
2008-03-07 16:10 ` Dave Quigley
2008-03-07 17:11 ` Casey Schaufler
[not found] ` <624405.64789.qm-VNlLEJ//v6ivuULXzWHTWIglqE1Y4D90QQ4Iyu8u01E@public.gmane.org>
2008-03-07 17:37 ` Dave Quigley
2008-03-07 18:14 ` Casey Schaufler [this message]
2008-03-07 18:17 ` Stephen Smalley
2008-03-07 18:49 ` Casey Schaufler
2008-03-07 19:17 ` Stephen Smalley
2008-03-07 19:48 ` Casey Schaufler
2008-03-07 20:05 ` Stephen Smalley
2008-03-07 21:13 ` Casey Schaufler
2008-03-10 12:37 ` Stephen Smalley
2008-03-07 20:28 ` Chris Wright
2008-03-05 18:54 ` [PATCH 2/2] LSM/SELinux: inode_{get,set}secctx hooks to access LSM security context information David P. Quigley
2008-03-05 20:45 ` Paul Moore
2008-03-05 20:54 ` Stephen Smalley
2008-03-05 22:28 ` Casey Schaufler
2008-03-06 12:30 ` Christoph Hellwig
2008-03-06 13:50 ` Stephen Smalley
2008-03-06 13:54 ` Christoph Hellwig
2008-03-06 14:05 ` Stephen Smalley
2008-03-06 14:07 ` Christoph Hellwig
2008-03-06 14:25 ` James Morris
2008-03-06 14:48 ` Stephen Smalley
2008-03-06 17:13 ` Dave Quigley
2008-03-07 10:03 ` Christoph Hellwig
[not found] ` <20080307100353.GA16831-jcswGhMUV9g@public.gmane.org>
2008-03-07 16:06 ` Dave Quigley
2008-03-07 16:54 ` Miklos Szeredi
[not found] ` <E1JXfpu-0001d1-57-8f8m9JG5TPIdUIPVzhDTVZP2KDSNp7ea@public.gmane.org>
2008-03-07 17:30 ` Dave Quigley
2008-03-07 20:24 ` Miklos Szeredi
2008-03-07 21:07 ` Dave Quigley
2008-03-07 21:46 ` Miklos Szeredi
2008-03-08 0:24 ` Brad Boyer
2008-03-07 21:23 ` Dave Quigley
2008-03-08 11:49 ` Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2008-03-18 18:57 [RFC]Introduce generalized hooks for getting and setting inode secctx v3 David P. Quigley
[not found] ` <1205866664-24902-1-git-send-email-dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2008-03-18 18:57 ` [PATCH 1/2] VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx David P. Quigley
2008-04-23 16:57 [PATCH]Introduce generalized hooks for getting and setting inode secctx David P. Quigley
[not found] ` <1208969836-8129-1-git-send-email-dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2008-04-23 16:57 ` [PATCH 1/2] VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx David P. Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=520476.89184.qm@web36601.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=chrisw@sous-sol.org \
--cc=dpquigl@tycho.nsa.gov \
--cc=hch@lst.de \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).