Re: path based security in 4 easy steps with minimal kernel changes

Shaya Potter wrote:
>> I figure this might be just beating my head against a wall, as people
>> aren't interested, but here's a bit more of a roadmap on how I believe
>> path based security can be easily implemented with no changes to the
>> kernel besides the addition of a one or 2 more LSM hooks
It seems to me that your approach converts pathnames into tags (which is unlikely a string data). TOMOYO is using pathnames as one of factors for controlling whether the process is allowed to open/create/delete the requested pathnames or not. If pathnames are unavailable, that is no longer 'path based security' for TOMOYO.

I think one of easiest ways is to use
mnt_want_write()/mnt_drop_write() hooks ( http://lkml.org/lkml/2008/8/19/16 ).
Even though this patch doesn't use LSM, it's easy to convert hooks to LSM.

Regards, -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

• This message: [ Message body ]
• Next message: Shaya Potter: "Re: path based security in 4 easy steps with minimal kernel changes"
• Previous message: Andrew G. Morgan: "[PATCH 1/1] Track (in /proc/<pid>/status) which capabilities are hit during execution."
• In reply to: Shaya Potter: "path based security in 4 easy steps with minimal kernel changes"
• Next in thread: Shaya Potter: "Re: path based security in 4 easy steps with minimal kernel changes"
• Reply: Shaya Potter: "Re: path based security in 4 easy steps with minimal kernel changes"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]