Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks

[Christoph Hellwig]

On Fri, Sep 03, 2004 at 09:54:23PM +0200, Kristian Sørensen wrote:
> >>We are working on a project called Umbrella, (umbrella.sf.net) which 
> >>implements processbased mandatory accesscontrol in the Linux kernel. 
> >>This access control is controlled by "restriction", e.g. by restricting 
> >>  some process from accessing any given file or directory.
> >>
> >>E.g. if a root owned process is restricted from accessing /var/www, and 
> >>the process is compromised by an attacker, no mater what he does, he 
> >>would not be able to access this directory.
> > 
> > 
> > mount --bind /var/www /home/joe/p0rn/, and then?
> Actually this "attack" is avoided, because restrictions are enherited, 
> from parent proces to its children.

If you restrict your process on the path /var/ww/ but the same objects
are also available below a different path, what does that have to do with
child processes?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/