Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

>> On the other hand, if you actually want to protect the _data_, thentagging the _name_ is flawed; tag the *DATA* instead.

Would it make sense to label the data (resource) with a list of paths(names) that can be used to access it?

Therefore the data would be protected against being accessed viaalternative arbitrary names. This may be a simple label to maintain and(possibly to) enforce, allowing path based confinement to protect aresource. This may allow for the benefits of pathname based confinementwhile avoiding some of its problems.

Obviously this would not protect against a pathname pointing toarbitrary data…



Just a thought.

Z. Cliffe Schreuders.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
  - From: Casey Schaufler <[email protected]>
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
  - From: Kyle Moffett <[email protected]>

References:
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
  - From: Casey Schaufler <[email protected]>
- Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
  - From: Kyle Moffett <[email protected]>

Prev by Date: Re: [PATCH] x86: fix section mismatch warnings in mtrr
Next by Date: Oops in kernel 2.6.21
Previous by thread: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
Next by thread: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]