Re: [PATCH v1] security: Add a new hook: inode_touch_atime

From: MickaÃl SalaÃn
Date: Wed Dec 21 2016 - 19:02:40 EST

Next message: Peter Rosin: "[PATCH 1/2] power: supply: bq24735: allow polling even if there is no ac-detect gpio"
Previous message: Stephen Boyd: "Re: [PATCH v4 2/6] clk: qcom: ipq4019: Add the apss cpu pll divider clock node"
In reply to: Casey Schaufler: "Re: [PATCH v1] security: Add a new hook: inode_touch_atime"
Next in thread: Casey Schaufler: "Re: [PATCH v1] security: Add a new hook: inode_touch_atime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 22/12/2016 00:33, Casey Schaufler wrote:
> On 12/21/2016 3:15 PM, MickaÃl SalaÃn wrote:
>> Add a new LSM hook named inode_touch_atime which is needed to deny
>> indirect update of extended file attributes (i.e. access time) which are
>> not catched by the inode_setattr hook. By creating a new hook instead of
>> calling inode_setattr, we avoid to simulate a useless struct iattr.
>>
>> This hook allows to create read-only environments as with read-only
>> mount points. It can also take care of anonymous inodes.
>
> What security module would use this?

SELinux should be interested. This is useful to create sandboxes so
other LSM may be interested too

I'm working on a new LSM and I would like this kind of hook to create a
real read-only environment.

Regards,
MickaÃl

Attachment: signature.asc
Description: OpenPGP digital signature

Next message: Peter Rosin: "[PATCH 1/2] power: supply: bq24735: allow polling even if there is no ac-detect gpio"
Previous message: Stephen Boyd: "Re: [PATCH v4 2/6] clk: qcom: ipq4019: Add the apss cpu pll divider clock node"
In reply to: Casey Schaufler: "Re: [PATCH v1] security: Add a new hook: inode_touch_atime"
Next in thread: Casey Schaufler: "Re: [PATCH v1] security: Add a new hook: inode_touch_atime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]