Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

On Wed, 23 May 2007, Andreas Gruenbacher wrote:

> This is backwards from what AppArmor does. The policy defines which paths may 
> be accessed; all paths not explicitly listed are denied. If files are mounted 
> at multiple locations, then the policy may allow access to some locations but 
> not to others. That's not a hole.

I don't know what else you'd call it.

Would you mind providing some concrete examples of how such a model would 
be useful?


- James
-- 
James Morris
<[email protected]>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSMhook
  - From: Tetsuo Handa <[email protected]>
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
  - From: Andreas Gruenbacher <[email protected]>

References:
- [AppArmor 00/41] AppArmor security module overview
  - From: [email protected]
- [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
  - From: [email protected]
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
  - From: Al Viro <[email protected]>
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
  - From: Andreas Gruenbacher <[email protected]>

Prev by Date: [git patches] IDE fixes
Next by Date: Re: [PATCH] Reduce cpuset.c write_lock_irq() to read_lock()
Previous by thread: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
Next by thread: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]