On Tue, 2005-02-22 at 13:22 -0500, Jim Houston wrote: > I spent time looking at the pty and selinux code yesterday. > I had little luck finding where the selinux code hooks into > the pty code.
The call to lookup_one_len() by fs/devpts/inode.c:get_node() ultimately calls permission(...,MAY_EXEC,...) on the devpts root directory, which will call security_inode_permission() -> selinux_inode_permission() to check search access to the directory. Hence, get_node() can fail if SELinux is enabled and the process has no permission at all to search /dev/pts. If it can get that far, then the inode will ultimately have its security label set upon the d_instantiate() call (via security_d_instantiate() -> selinux_d_instantiate()), and be subsequently checked for opens/reads/writes via the selinux_inode_permission() and selinux_file_permission() hook functions. -- Stephen Smalley <[EMAIL PROTECTED]> National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
