Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks

From: Stephen Smalley
Date: Fri Sep 03 2004 - 10:46:57 EST

Next message: Zwane Mwaikambo: "Re: [PATCH][0/8] Arch agnostic completely out of line locks"
Previous message: Bjorn Helgaas: "Re: [PATCH] allow i8042 register location override"
In reply to: Kristian Sørensen: "Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks"
Next in thread: Andrea Arcangeli: "Re: Getting full path from dentry in LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2004-09-03 at 09:20, Kristian SÃrensen wrote:
> E.g. if a root owned process is restricted from accessing /var/www, and
> the process is compromised by an attacker, no mater what he does, he
> would not be able to access this directory.

Control access to objects, not names. Assign security attributes to the
objects, and use those attributes in your access control checks, not a
useless pathname. Otherwise, your "security" system will always be
trivially bypassable.

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Zwane Mwaikambo: "Re: [PATCH][0/8] Arch agnostic completely out of line locks"
Previous message: Bjorn Helgaas: "Re: [PATCH] allow i8042 register location override"
In reply to: Kristian Sørensen: "Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks"
Next in thread: Andrea Arcangeli: "Re: Getting full path from dentry in LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]