Re: [patch] update: _working_ code to add device+inode check toipt_owner.c

[Stephen Smalley]

On Thu, 2004-09-09 at 12:22, Luke Kenneth Casson Leighton wrote:
> 	i do not believe it to be sensible to have the kernel
> 	code doing that kind of checking (resolving the full
> 	pathname of an executable) but hey, if anyone feels
> 	otherwise, and knows of some pre-existing code to point
> 	me in the direction of, i'll add it, because it might
> 	be easier in the long run.
<snip>
> 	has someone already done this before now, and if so,
> 	where?

d_path() will give you a pathname given a (dentry, vfsmount) pair.

> 	because it's the kind of code that would be extremely
> 	useful to have in selinux auditing.
> 
> 	the selinux auditing log messages only presently include
> 	the name of the file (not the fully qualified path) and
> 	things like "error access denied to a local directory
> 	named "lib" isn't exactly very helpful!)

SELinux already uses d_path when it can when generating audit messages
(but always includes device and inode information); try reading the
code.  But a vfsmount is often not available to it at the point of a
permission check.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/