[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <08F0A127-BBEE-4B80-8AE7-1EB7CB815C16@mac.com>
Date: Thu, 16 Aug 2007 19:30:42 -0400
From: Kyle Moffett <mrmacman_g4@....com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: David Howells <dhowells@...hat.com>, viro@....linux.org.uk,
sds@...ho.nsa.gov, casey@...aufler-ca.com,
linux-fsdevel@...r.kernel.org, nfsv4@...ux-nfs.org,
linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov,
linux-security-module@...r.kernel.org
Subject: Re: Adding a security parameter to VFS functions
On Aug 16, 2007, at 18:57:24, Linus Torvalds wrote:
> On Wed, 15 Aug 2007, David Howells wrote:
>> Would you object greatly to functions like vfs_mkdir() gaining a
>> security parameter? What I'm thinking of is this:
>> int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode,
>> struct security *security)
>
> I personally consider this an affront to everythign that is decent.
>
> Why the *hell* would mkdir() be so magical as to need something
> like that?
Not speaking directly for David, but I believe the reason is for
background kernel code which needs to do filesystem access during a
thread's execution with *completely* different security context from
that of the thread. Examples should be reasonably obvious; kNFSd is
one, but it also includes anything where the kernel would poke
directly into the filesystem, such as network filesystem cachefiles.
> Make it something sane, like a "struct nameidata" instead, and make
> it at least try to look like the path creation that is done by "open
> ()". Or create a "struct file *" or something.
>
> I can imagine having "mkdir()" being passed similar data as "open
> ()" (ie "lookup()"), but I cannot _possibly_ imagine it ever being
> valid to pass in something totally made-up to just mkdir(), and
> nothing else. There's something fundamentally wrong there.
I would offer the suggestion of using the described "struct security"
in-place in the task struct, in place of using all those fields
individually. That would be, in effect the "default" security
context for any given task, if "NULL" is passed to the appropriate
vfs function. For CacheFiles and kNFSd, they could each allocate
their own during initialization or new-connection and pass that to
any "mkdir()", etc that they do on behalf of a given client.
> What makes mkdir() so magical?
>
> Also, what about all the other ops? Why is mkdir() special, but not
> "mknod()"? Why is "mkdir()" special, but not "rmdir()"? Really,
> none of this seems to make any sense unless you describe what is so
> magical about mkdir().
I think mkdir() was just an example he was using, probably because it
was the first VFS call he needed to set a security context on. Next
would come anything which CacheFiles or NFSd call on the underlying
filesystem.
Cheers,
Kyle Moffett
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists