Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752830AbZFIC5G (ORCPT ); Mon, 8 Jun 2009 22:57:06 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751345AbZFIC4y (ORCPT ); Mon, 8 Jun 2009 22:56:54 -0400 Received: from e6.ny.us.ibm.com ([32.97.182.146]:48677 "EHLO e6.ny.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751079AbZFIC4x (ORCPT ); Mon, 8 Jun 2009 22:56:53 -0400 Subject: Re: [PATCH] integrity: fix IMA inode leak From: Mimi Zohar To: James Morris Cc: Linus Torvalds , Hugh Dickins , Mimi Zohar , Andrew Morton , Serge Hallyn , Al Viro , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, David Safford In-Reply-To: References: <1244354901.3963.23.camel@dyn9002018117.watson.ibm.com> <1244464135.3277.13.camel@dyn9002018117.watson.ibm.com> <1244486655.3277.65.camel@dyn9002018117.watson.ibm.com> Content-Type: text/plain Date: Mon, 08 Jun 2009 22:56:51 -0400 Message-Id: <1244516211.3804.24.camel@dyn9002018117.watson.ibm.com> Mime-Version: 1.0 X-Mailer: Evolution 2.24.5 (2.24.5-1.fc10) Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1266 Lines: 39 On Tue, 2009-06-09 at 09:16 +1000, James Morris wrote: > On Mon, 8 Jun 2009, Mimi Zohar wrote: > > > > > Ok, so instead of having a full fledge single security layer, only add > > the security layer for those places where both the LSM hooks and IMA > > co-exist: security_file_mmap, security_bprm_check, security_inode_alloc, > > security_inode_free, and security_file_free. As the LSM hooks are called > > 'security_XXXX', the call would look something like: > > > > security_all_inode_free() { > > ima_inode_free() > > security_inode_free() > > } > > Yes, it only needs to be a wrapper. The above is ugly, how about: agreed! But changing only these 5 security_ hook names and leaving the rest alone is even uglier. > security_inode_free() > { > ima_inode_free(); > lsm_inode_free(); > } > > I think we may have come full circle on the naming of the LSM hook, but > 'security_*' was never great given that it's only supposed to be covering > access control. so why not 'mac_'? Mimi Zohar -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/