Re: [PATCH 04/24] VFS: Add LSM hooks for filesystem context [ver #7]

2018-04-25 Thread Stephen Smalley
On 04/24/2018 11:22 AM, David Howells wrote: > Stephen Smalley wrote: > >> Neither fsopen() nor fscontext_fs_write() appear to perform any kind of >> up-front permission checking (DAC or MAC), although some security hooks may >> be ultimately called to allocate structures, parse security options,

Re: [PATCH 04/24] VFS: Add LSM hooks for filesystem context [ver #7]

2018-04-24 Thread David Howells
Stephen Smalley wrote: > Neither fsopen() nor fscontext_fs_write() appear to perform any kind of > up-front permission checking (DAC or MAC), although some security hooks may > be ultimately called to allocate structures, parse security options, etc. > Is there a reason not apply a may_mount() or

Re: [PATCH 04/24] VFS: Add LSM hooks for filesystem context [ver #7]

2018-04-23 Thread Stephen Smalley
On 04/20/2018 11:35 AM, David Howells wrote: > Paul Moore wrote: > >> Adding the SELinux mailing list to the CC line; in the future please >> include the SELinux mailing list on patches like this. It would also >> be very helpful to include "selinux" somewhere in the subject line >> when the pat

Re: [PATCH 04/24] VFS: Add LSM hooks for filesystem context [ver #7]

2018-04-20 Thread David Howells
Paul Moore wrote: > Adding the SELinux mailing list to the CC line; in the future please > include the SELinux mailing list on patches like this. It would also > be very helpful to include "selinux" somewhere in the subject line > when the patch is predominately SELinux related (much like you di

Re: [PATCH 04/24] VFS: Add LSM hooks for filesystem context [ver #7]

2018-04-19 Thread Paul Moore
On Thu, Apr 19, 2018 at 9:31 AM, David Howells wrote: > Add LSM hooks for use by the filesystem context code. This includes: > > (1) Hooks to handle allocation, duplication and freeing of the security > record attached to a filesystem context. > > (2) A hook to snoop a mount options in key

[PATCH 04/24] VFS: Add LSM hooks for filesystem context [ver #7]

2018-04-19 Thread David Howells
Add LSM hooks for use by the filesystem context code. This includes: (1) Hooks to handle allocation, duplication and freeing of the security record attached to a filesystem context. (2) A hook to snoop a mount options in key[=val] form. If the LSM decides it wants to handle it, it c