From: ebiederm@xmission.com (Eric W. Biederman)
To: James Morris <jmorris@namei.org>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@redhat.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Subject: Re: [RFC][PATCH] security/selinux: Simplify proc inode to security label mapping.
Date: Sun, 22 Nov 2009 18:42:04 -0800 [thread overview]
Message-ID: <m13a46m077.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <alpine.LRH.2.00.0911230917020.19108@tundra.namei.org> (James Morris's message of "Mon\, 23 Nov 2009 09\:18\:32 +1100 \(EST\)")
James Morris <jmorris@namei.org> writes:
> On Fri, 20 Nov 2009, Eric W. Biederman wrote:
>
>>
>> Currently selinux has incestuous knowledge of the implementation details
>> of procfs and sysctl that it uses to get a pathname from an inode. As it
>> happens the point we care is in the security_d_instantiate lsm hook so
>> we have a valid dentry that we can use to get the entire pathname on
>> the proc filesystem. With the recent change to sys_sysctl to go through
>> proc/sys all proc and sysctl accesses go through the vfs, which
>> means we no longer need a sysctl special case.
>
> I need to investigate this further, but one immediate issue is that
> Tomoyo seems to have similar code.
The Tomoyo code is currently gone in the sysctl tree (and thus in
linux-next), that change was part of what got me thinking about changing
selinux as well.
If we can remove the selinux special case as well then we can actually
remove the sysctl hook from the lsm.
Eric
next prev parent reply other threads:[~2009-11-23 2:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-20 19:01 [RFC][PATCH] security/selinux: Simplify proc inode to security label mapping Eric W. Biederman
2009-11-22 22:18 ` James Morris
2009-11-23 2:10 ` [RFC][PATCH] security/selinux: Simplify proc inode to securitylabel mapping Tetsuo Handa
2009-11-23 2:42 ` Eric W. Biederman [this message]
2009-11-25 8:41 ` [RFC][PATCH] security/selinux: Simplify proc inode to security label mapping James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m13a46m077.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox