On Thu, 2007-06-28 at 20:15 +0200, Andreas Gruenbacher wrote: > On Thursday 28 June 2007 18:12, James Morris wrote: > > Are you trying to cater for the case where you're holding an open fd for a > > file which has been deleted, and thus has no pathname? > > Yes, see the AA_CHECK_FD flag in security/apparmor/main.c:aa_perm_dentry(). > We > want to distinguish between the following two cases: > > - process performs an operation on an open file descriptor, > > - process performs an operation on a pathname, and between the dentry > lookup and the LSM permission check, the file gets deleted. > > In the former case, we obviously want to continue giving the process access > to > his fd (the classical pattern: open temporary file; delete it so that it will > self-recycle, continue using the open file descriptor). > > In the latter case, The file still existed at the time of the lookup but not > anymore at the time of the permission check. The file obviously doesn't have > a filename anymore, so we cannot check permissions. If we granted access in > that case, processes could bypass their profile permissions in that race > window. We close the race by returning -ENOENT in that case, the same result > as if the file had already been deleted before the lookup.
So you don't actually need/use the struct file pointer; you just need a flag indicating whether or not access was by open file descriptor or by pathname? And what does this mean for a process that has "changed hats"? Which might not be authorized to access the file anymore, even via an already opened descriptor. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
