Re: security module question

[James Morris]

On Tue, 4 Aug 2009, Justin Banks wrote:

> Hello - I'm trying to implement a security module that will allow or
> disallow writes on files by byte ranges. Is there a way to use
> inode_permission() to do this, or is there an alternative route I should
> take? It doesn't look like inode_permission() will give me the data I
> need (offset + length of write).

This doesn't seem to fit with the LSM model, where access is mediated at 
object-level granularity.  i.e. can user A read file B ?

> Also, is there a security module that will examine data being written
> for certain patterns or content?

The fanotify / TALPA file access scanning work being done by Eric Paris 
might be more appropriate.

See http://lwn.net/Articles/339399/

> Please CC: me on responses. I used to be subscribed, but the traffic was
> just too much.

You probably want the LSM mailing list (cc'd).


-- 
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/