From: Tejun Heo <tj@kernel.org>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
linux-security-module@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org
Subject: Re: [PATCH v3 5/5] kernfs: initialize security of newly created nodes
Date: Wed, 30 Jan 2019 09:09:11 -0800 [thread overview]
Message-ID: <20190130170911.GZ50184@devbig004.ftw2.facebook.com> (raw)
In-Reply-To: <20190130114150.27807-6-omosnace@redhat.com>
Hello,
On Wed, Jan 30, 2019 at 12:41:50PM +0100, Ondrej Mosnacek wrote:
> @@ -673,6 +698,12 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
> goto err_out3;
> }
>
> + if (parent) {
> + ret = kernfs_node_init_security(parent, kn);
> + if (ret)
> + goto err_out3;
> + }
So, doing this unconditionally isn't a good idea. kernfs doesn't use
the usual dentry/inode because there are machines with 6, even 7 digit
number of kernfs nodes and some of them even failed to boot due to
memory shortage. Please don't blow it up by default.
Thanks.
--
tejun
next prev parent reply other threads:[~2019-01-30 17:09 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-30 11:41 [PATCH v3 0/5] Allow initializing the kernfs node's secctx based on its parent Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 1/5] selinux: try security xattr after genfs for kernfs filesystems Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 2/5] kernfs: use simple_xattrs for security attributes Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 3/5] LSM: add new hook for kernfs node initialization Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 4/5] selinux: implement the kernfs_init_security hook Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 5/5] kernfs: initialize security of newly created nodes Ondrej Mosnacek
2019-01-30 17:09 ` Tejun Heo [this message]
2019-01-31 10:20 ` Ondrej Mosnacek
2019-01-31 14:22 ` Tejun Heo
2019-01-31 16:39 ` Casey Schaufler
2019-02-04 9:48 ` Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190130170911.GZ50184@devbig004.ftw2.facebook.com \
--to=tj@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cgroups@vger.kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.