Re: [patch 01/15] security: pass path to inode_create

[Andreas Gruenbacher]

On Monday 02 June 2008 14:49:06 Matthew Wilcox wrote:
> On Mon, Jun 02, 2008 at 02:45:10PM +0200, Andreas Gruenbacher wrote:
> > Without the vfsmount, when something is mounted in more than once place,
> > you cannot report which of the name aliases a process is accessing. This
> > is unacceptable; the logs would become unusable. With pathname-based, the
> > AppArmor and TOMOYO folks really mean pathname-based, not a hybrid
> > pathname / mount point model.
>
> audit_getname manages to do this.

You would assume, but no: audit_getname() grabs a reference to the pwd and the 
absolute or relative pathname. The vfs resolves this to a dentry, but there 
is no guarantee that the audit system will end up with the same pathname for 
reporting: the namespace may have changed arbitrarily in the meantime.

(I find it rather interesting that this is consistent enough for audit; in my 
opinion it isn't.)

On the other hand, AppArmor computes the path it uses for checking from the 
dentry/vfsmount atomically with respect to namespace changes, and so the path 
used for checking and reporting is always consistent (and it is guaranteed 
that the object has been reachable via this path at the time the path has 
been generated).

Andreas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/