Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755837AbXJCFNP (ORCPT ); Wed, 3 Oct 2007 01:13:15 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751438AbXJCFNA (ORCPT ); Wed, 3 Oct 2007 01:13:00 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:34753 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751046AbXJCFM7 (ORCPT ); Wed, 3 Oct 2007 01:12:59 -0400 Date: Wed, 3 Oct 2007 06:12:54 +0100 From: Al Viro To: Casey Schaufler Cc: torvalds@osdl.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, akpm@osdl.org, paul.moore@hp.com Subject: Re: [PATCH] Version 4 (2.6.23-rc8-mm2) Smack: Simplified Mandatory Access Control Kernel Message-ID: <20071003051254.GH8181@ftp.linux.org.uk> References: <47031E76.6020801@schaufler-ca.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47031E76.6020801@schaufler-ca.com> User-Agent: Mutt/1.4.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1884 Lines: 37 On Tue, Oct 02, 2007 at 09:45:42PM -0700, Casey Schaufler wrote: > > From: Casey Schaufler > > Smack is the Simplified Mandatory Access Control Kernel. > > Smack implements mandatory access control (MAC) using labels > attached to tasks and data containers, including files, SVIPC, > and other tasks. Smack is a kernel based scheme that requires > an absolute minimum of application support and a very small > amount of configuration data. I _really_ don't like what you are doing with these symlinks. For one thing, you have no exclusion between reading the list entries and modifying them. For another... WTF is filesystem making assumptions about the locations where the things are mounted? Hell, even if you override your tmp symlink, what happens if we want it in two chroot jails with different layouts? I really don't get it; why not simply have something like /smack/tmp.link resolve to tmp/