Re: [PATCH] integrity: fix IMA inode leak
From: Mimi Zohar
Date: Mon Jun 08 2009 - 22:57:16 EST
On Tue, 2009-06-09 at 09:16 +1000, James Morris wrote:
> On Mon, 8 Jun 2009, Mimi Zohar wrote:
>
> >
> > Ok, so instead of having a full fledge single security layer, only add
> > the security layer for those places where both the LSM hooks and IMA
> > co-exist: security_file_mmap, security_bprm_check, security_inode_alloc,
> > security_inode_free, and security_file_free. As the LSM hooks are called
> > 'security_XXXX', the call would look something like:
> >
> > security_all_inode_free() {
> > ima_inode_free()
> > security_inode_free()
> > }
>
> Yes, it only needs to be a wrapper. The above is ugly, how about:
agreed! But changing only these 5 security_ hook names and leaving the
rest alone is even uglier.
> security_inode_free()
> {
> ima_inode_free();
> lsm_inode_free();
> }
>
> I think we may have come full circle on the naming of the LSM hook, but
> 'security_*' was never great given that it's only supposed to be covering
> access control.
so why not 'mac_'?
Mimi Zohar
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/