mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/kernel-patches/for-mainline/overview.txt
Tony Jones 1c5c754489
2007-02-05 17:22:37 +00:00

125 lines
3.7 KiB
Text
Raw Blame History

Introduction
------------
The following are a set of patches the goal of which is to pass vfsmounts
through select portions of the VFS layer sufficient to be visible to the LSM
inode operation hooks.
They are being posted now as a request for comment. Presently the AppArmor
code - being a user of the LSM interface - does not receive the vfsmount
correspoding to an operation and has to employ convoluted and slow mechanisms
in an attempt to determine the vfsmount which are error prone. Therefore these
patches or some variant of them are viewed as a necessary precursor for the
AppArmor code being resubmitted.
It is currently planned to resubmit the AppArmor code to the list in the next
month. We apologise for the silence since the last submission, a combination
of research into different designs, other work pressures and just not doing
the "right thing". Regardless, early discussion and feedback on these
interface changes is appreciated.
Limitations of the current patches
----------------------------------
NULL is passed for the vfsmount from all NFS functions, this is analagous
to the current NULL nameidata for security_inode_permission. NULL is also
passed in certain cases for internal filesystem data which is not visible in
the normal namespace (Reiserfs being one example).
Struct vfsmount is passed to the LSM inode hooks rather than struct nameidata
as the hooks do not require the intent data and also as a few hooks are called
when only a struct file is available.
Possible changes
----------------
A second parameter is now being passed to many functions. One alternative is
to ammend the LSM interface (and struct nameidata) to use struct path instead
but this would be a larger change.
Patches
-------
security-create.diff
Pass struct vfsmount to the inode_create LSM hook.
proc_setattr.diff
Remove redundant check from proc_setattr().
remove_suid.diff
Pass struct file down to remove_suid and children
vfs-notify_change.diff
Add a vfsmount parameter to notify_change()
security-setattr.diff
Pass struct vfsmount to the inode_setattr LSM hook
vfs-mkdir.diff
Add struct vfsmount parameter to vfs_mkdir()
security-mkdir.diff
Pass struct vfsmount to the inode_mkdir LSM hook
vfs-mknod.diff
Add a struct vfsmount parameter to vfs_mknod()
security-mknod.diff
Pass struct vfsmount to the inode_mknod LSM hook
vfs-symlink.diff
Add a struct vfsmount parameter to vfs_symlink()
security-symlink.diff
Pass struct vfsmount to the inode_symlink LSM hook.
security-readlink.diff
Pass struct vfsmount to the inode_readlink LSM hook
vfs-link.diff
Add struct vfsmount parameters to vfs_link()
security-link.diff
Pass struct vfsmount to the inode_link LSM hook
vfs-rmdir.diff
Add a struct vfsmount parameter to vfs_rmdir()
security-rmdir.diff
Pass struct vfsmount to the inode_rmdir LSM hook
vfs-unlink.diff
Add a struct vfsmount parameter to vfs_unlink()
security-unlink.diff
Pass struct vfsmount to the inode_unlink LSM hook
vfs-rename.diff
Add struct vfsmount parameters to vfs_rename()
security-rename.diff
Pass struct vfsmount to the inode_rename LSM hook
vfs-setxattr.diff
Add a struct vfsmount parameter to vfs_setxattr()
security-setxattr.diff
Pass struct vfsmount to the inode_setxattr LSM hook
vfs-getxattr.diff
Add a struct vfsmount parameter to vfs_getxattr()
security-getxattr.diff
Pass struct vfsmount to the inode_getxattr LSM hook
vfs-listxattr.diff
Add a struct vfsmount parameter to vfs_listxattr()
security-listxattr.diff
Pass struct vfsmount to the inode_listxattr LSM hook
vfs-removexattr.diff
Add a struct vfsmount parameter to vfs_removexattr()
security-removexattr.diff
Pass struct vfsmount to the inode_removexattr LSM hook
Reference in a new issue View git blame Copy permalink