Re: [PATCH (mmotm-2008-12-02-17-08)] Introducesecurity_path_set/clear() hooks.

From: Stephen Smalley
Date: Wed Dec 03 2008 - 09:16:23 EST

On Wed, 2008-12-03 at 17:56 +0900, Kentaro Takeda wrote:
> Stephen, Serge,
> Here is the patch for introducing new security_path_set()/clear() hooks.
> This patch enables LSM module to remember vfsmount's pathname so that it can
> calculate absolute pathname in security_inode_*(). Since actual MAC can be
> performed after DAC, there will not be any noise in auditing and learning
> features. This patch currently assumes that the vfsmount's pathname is stored in
> hash table in LSM module. (Should I use stack memory?)
> Since security_inode_*() are not always called after security_path_set(),
> security_path_clear() hook is needed to free the remembered pathname.

Your security_path_set()/security_path_clear() pairs look rather similar
to mnt_want_write()/mnt_drop_write() pairs. What if you were to call
your hooks from those functions, and then you would only need to add
further hook calls in the case of read-only and execute/search checks?

Stephen Smalley
National Security Agency

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at