On Mon, Aug 12, 2019 at 9:41 AM Jan Kara wrote:
> On Sat 10-08-19 11:01:16, Paul Moore wrote:
> > On August 10, 2019 6:05:27 AM Amir Goldstein wrote:
> >
> > Other than Casey's comments, and ACK, I'm not seeing much commentary
> > on this patch so FS and LSM folks consider this your las
On 8/12/19 9:41 AM, Jan Kara wrote:
On Sat 10-08-19 11:01:16, Paul Moore wrote:
On August 10, 2019 6:05:27 AM Amir Goldstein wrote:
Other than Casey's comments, and ACK, I'm not seeing much commentary
on this patch so FS and LSM folks consider this your last chance - if
I don't hear any objec
On Sat 10-08-19 11:01:16, Paul Moore wrote:
> On August 10, 2019 6:05:27 AM Amir Goldstein wrote:
>
> Other than Casey's comments, and ACK, I'm not seeing much commentary
> on this patch so FS and LSM folks consider this your last chance - if
> I don't hear any objections by the en
On August 10, 2019 6:05:27 AM Amir Goldstein wrote:
Other than Casey's comments, and ACK, I'm not seeing much commentary
on this patch so FS and LSM folks consider this your last chance - if
I don't hear any objections by the end of this week I'll plan on
merging this into sel
> > > Other than Casey's comments, and ACK, I'm not seeing much commentary
> > > on this patch so FS and LSM folks consider this your last chance - if
> > > I don't hear any objections by the end of this week I'll plan on
> > > merging this into selinux/next next week.
> >
> > Please consider it is
> >>> + switch (flags & FANOTIFY_MARK_TYPE_BITS) {
> >>> + case FAN_MARK_MOUNT:
> >>> + obj_type = FSNOTIFY_OBJ_TYPE_VFSMOUNT;
> >>> + break;
> >>> + case FAN_MARK_FILESYSTEM:
> >>> + obj_type = FSNOTIFY_OBJ_TYPE_SB;
> >>> +
...
> >> First a suggestion, take it or leave it.
> >> The name of the hook _notify() seems misleading to me.
> >> naming the hook security_path_watch() seems much more
> >> appropriate and matching the name of the constants FILE__WATCH
> >> used by selinux.
> >
> > I guess I'm not too bothered by
On 8/9/19 5:06 AM, Amir Goldstein wrote:
On Thu, Aug 8, 2019 at 9:33 PM Paul Moore wrote:
On Wed, Jul 31, 2019 at 11:35 AM Aaron Goidel wrote:
As of now, setting watches on filesystem objects has, at most, applied a
check for read access to the inode, and in the case of fanotify, requires
On 8/9/19 8:55 AM, Paul Moore wrote:
On Fri, Aug 9, 2019 at 5:06 AM Amir Goldstein wrote:
On Thu, Aug 8, 2019 at 9:33 PM Paul Moore wrote:
On Wed, Jul 31, 2019 at 11:35 AM Aaron Goidel wrote:
As of now, setting watches on filesystem objects has, at most, applied a
check for read access t
On Fri, Aug 9, 2019 at 5:06 AM Amir Goldstein wrote:
> On Thu, Aug 8, 2019 at 9:33 PM Paul Moore wrote:
> > On Wed, Jul 31, 2019 at 11:35 AM Aaron Goidel wrote:
> > > As of now, setting watches on filesystem objects has, at most, applied a
> > > check for read access to the inode, and in the cas
On Thu, Aug 8, 2019 at 9:33 PM Paul Moore wrote:
>
> On Wed, Jul 31, 2019 at 11:35 AM Aaron Goidel wrote:
> > As of now, setting watches on filesystem objects has, at most, applied a
> > check for read access to the inode, and in the case of fanotify, requires
> > CAP_SYS_ADMIN. No specific secur
On Wed, Jul 31, 2019 at 11:35 AM Aaron Goidel wrote:
> As of now, setting watches on filesystem objects has, at most, applied a
> check for read access to the inode, and in the case of fanotify, requires
> CAP_SYS_ADMIN. No specific security hook or permission check has been
> provided to control
On Thu, Aug 1, 2019 at 7:31 AM Stephen Smalley wrote:
> On 7/31/19 8:27 PM, Paul Moore wrote:
> > On Wed, Jul 31, 2019 at 1:26 PM Casey Schaufler
> > wrote:
> >> On 7/31/2019 8:34 AM, Aaron Goidel wrote:
...
> >>> +static int selinux_path_notify(const struct path *path, u64 mask,
> >>> +
On 7/31/19 8:27 PM, Paul Moore wrote:
On Wed, Jul 31, 2019 at 1:26 PM Casey Schaufler wrote:
On 7/31/2019 8:34 AM, Aaron Goidel wrote:
As of now, setting watches on filesystem objects has, at most, applied a
check for read access to the inode, and in the case of fanotify, requires
CAP_SYS_ADMI
On Wed, Jul 31, 2019 at 1:26 PM Casey Schaufler wrote:
> On 7/31/2019 8:34 AM, Aaron Goidel wrote:
> > As of now, setting watches on filesystem objects has, at most, applied a
> > check for read access to the inode, and in the case of fanotify, requires
> > CAP_SYS_ADMIN. No specific security hook
On 7/31/2019 8:34 AM, Aaron Goidel wrote:
> As of now, setting watches on filesystem objects has, at most, applied a
> check for read access to the inode, and in the case of fanotify, requires
> CAP_SYS_ADMIN. No specific security hook or permission check has been
> provided to control the setting
As of now, setting watches on filesystem objects has, at most, applied a
check for read access to the inode, and in the case of fanotify, requires
CAP_SYS_ADMIN. No specific security hook or permission check has been
provided to control the setting of watches. Using any of inotify, dnotify,
or fano
On Wed, 10 Jul 2019, Casey Schaufler wrote:
> On 7/10/2019 6:34 AM, Aaron Goidel wrote:
>
> > Furthermore, fanotify watches grant more power to
> > an application in the form of permission events. While notification events
> > are solely, unidirectional (i.e. they only pass information to the
> >
On 7/10/2019 11:39 AM, Stephen Smalley wrote:
> On 7/10/19 12:38 PM, Casey Schaufler wrote:
>> On 7/10/2019 6:34 AM, Aaron Goidel wrote:
>>> As of now, setting watches on filesystem objects has, at most, applied a
>>> check for read access to the inode, and in the case of fanotify, requires
>>> CAP
On 7/10/19 12:38 PM, Casey Schaufler wrote:
On 7/10/2019 6:34 AM, Aaron Goidel wrote:
As of now, setting watches on filesystem objects has, at most, applied a
check for read access to the inode, and in the case of fanotify, requires
CAP_SYS_ADMIN. No specific security hook or permission check ha
On 7/10/19 10:22 AM, Joe Perches wrote:
> On Wed, 2019-07-10 at 10:18 -0700, Joe Perches wrote:
>> On Wed, 2019-07-10 at 09:49 -0700, Randy Dunlap wrote:
>>> On 7/10/19 9:38 AM, Casey Schaufler wrote:
On 7/10/2019 6:34 AM, Aaron Goidel wrote:
> @@ -3261,6 +3262,26 @@ static int selinux_ino
On 7/10/19 10:55 AM, Amir Goldstein wrote:
On Wed, Jul 10, 2019 at 4:34 PM Aaron Goidel wrote:
As of now, setting watches on filesystem objects has, at most, applied a
check for read access to the inode, and in the case of fanotify, requires
CAP_SYS_ADMIN. No specific security hook or permissi
On Wed, 2019-07-10 at 10:18 -0700, Joe Perches wrote:
> On Wed, 2019-07-10 at 09:49 -0700, Randy Dunlap wrote:
> > On 7/10/19 9:38 AM, Casey Schaufler wrote:
> > > On 7/10/2019 6:34 AM, Aaron Goidel wrote:
> > > > @@ -3261,6 +3262,26 @@ static int selinux_inode_removexattr(struct
> > > > dentry *d
On Wed, 2019-07-10 at 09:49 -0700, Randy Dunlap wrote:
> On 7/10/19 9:38 AM, Casey Schaufler wrote:
> > On 7/10/2019 6:34 AM, Aaron Goidel wrote:
> > > @@ -3261,6 +3262,26 @@ static int selinux_inode_removexattr(struct dentry
> > > *dentry, const char *name)
> > > return -EACCES;
> > > }
> > >
On 7/10/2019 9:49 AM, Randy Dunlap wrote:
> On 7/10/19 9:38 AM, Casey Schaufler wrote:
>> On 7/10/2019 6:34 AM, Aaron Goidel wrote:
>>> @@ -3261,6 +3262,26 @@ static int selinux_inode_removexattr(struct dentry
>>> *dentry, const char *name)
>>> return -EACCES;
>>> }
>>>
>>> +static int seli
On 7/10/19 9:38 AM, Casey Schaufler wrote:
> On 7/10/2019 6:34 AM, Aaron Goidel wrote:
>> @@ -3261,6 +3262,26 @@ static int selinux_inode_removexattr(struct dentry
>> *dentry, const char *name)
>> return -EACCES;
>> }
>>
>> +static int selinux_inode_notify(struct inode *inode, u64 mask)
>
On 7/10/2019 6:34 AM, Aaron Goidel wrote:
> As of now, setting watches on filesystem objects has, at most, applied a
> check for read access to the inode, and in the case of fanotify, requires
> CAP_SYS_ADMIN. No specific security hook or permission check has been
> provided to control the setting
On Wed, Jul 10, 2019 at 4:34 PM Aaron Goidel wrote:
>
> As of now, setting watches on filesystem objects has, at most, applied a
> check for read access to the inode, and in the case of fanotify, requires
> CAP_SYS_ADMIN. No specific security hook or permission check has been
> provided to control
As of now, setting watches on filesystem objects has, at most, applied a
check for read access to the inode, and in the case of fanotify, requires
CAP_SYS_ADMIN. No specific security hook or permission check has been
provided to control the setting of watches. Using any of inotify, dnotify,
or fano
29 matches
Mail list logo