On Thu, 9 Aug 2007, David Howells wrote:
> James Morris <[email protected]> wrote:
>
> > David, I've looked at the code and can't see that you need to access the
> > label itself outside the LSM. Could you instead simply pass the inode
> > pointer around?
>
> It's not quite that simple. I need to impose *two* security labels in
> cachefiles_begin_secure() when I'm about to act on behalf of a process that's
> tried to access a netfs file:
Ah ok, we had a similar problem with NFS mount options.
While I'm concerned about encoding SELinux-optimized secid labels into
general kernel structures, moving to more generalized pointers introduces
lifecycle maintenance issues and complexity which is not needed in the
mainline kernel. i.e. it'll be unused infrastructure maintained by
upstream, and used only by out-of-tree modules.
So, given that the kernel has no stable API, I suggest accepting the u32
secid as you propose, and if someone wants to merge a module which also
uses these hooks, but is entirely unable to use u32 labels, then they can
also justify making the interface more generalized and provide the code
for it.
- James
--
James Morris
<[email protected]>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
