From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S938295AbcLVACh (ORCPT ); Wed, 21 Dec 2016 19:02:37 -0500 Received: from smtp-sh.infomaniak.ch ([128.65.195.4]:41768 "EHLO smtp-sh.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932543AbcLVACe (ORCPT ); Wed, 21 Dec 2016 19:02:34 -0500 Subject: Re: [PATCH v1] security: Add a new hook: inode_touch_atime To: Casey Schaufler , linux-kernel@vger.kernel.org References: <20161221231506.19800-1-mic@digikod.net> Cc: Alexander Viro , Andreas Gruenbacher , Andy Lutomirski , Dmitry Kasatkin , Eric Paris , James Morris , John Johansen , Kees Cook , Kentaro Takeda , Mimi Zohar , Paul Moore , "Serge E . Hallyn" , Stephen Smalley , Tetsuo Handa , Vivek Goyal , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <585B17E3.5040809@digikod.net> Date: Thu, 22 Dec 2016 01:01:39 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="DXC2rNsU7IeUlPC0uClhdNLabDMiNbwQb" X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DXC2rNsU7IeUlPC0uClhdNLabDMiNbwQb Content-Type: multipart/mixed; boundary="suxt8kbsolRWWu2HCgHWXk2PgKHQRIfx5"; protected-headers="v1" From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= To: Casey Schaufler , linux-kernel@vger.kernel.org Cc: Alexander Viro , Andreas Gruenbacher , Andy Lutomirski , Dmitry Kasatkin , Eric Paris , James Morris , John Johansen , Kees Cook , Kentaro Takeda , Mimi Zohar , Paul Moore , "Serge E . Hallyn" , Stephen Smalley , Tetsuo Handa , Vivek Goyal , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org Message-ID: <585B17E3.5040809@digikod.net> Subject: Re: [PATCH v1] security: Add a new hook: inode_touch_atime References: <20161221231506.19800-1-mic@digikod.net> In-Reply-To: --suxt8kbsolRWWu2HCgHWXk2PgKHQRIfx5 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 22/12/2016 00:33, Casey Schaufler wrote: > On 12/21/2016 3:15 PM, Micka=C3=ABl Sala=C3=BCn wrote: >> Add a new LSM hook named inode_touch_atime which is needed to deny >> indirect update of extended file attributes (i.e. access time) which a= re >> not catched by the inode_setattr hook. By creating a new hook instead = of >> calling inode_setattr, we avoid to simulate a useless struct iattr. >> >> This hook allows to create read-only environments as with read-only >> mount points. It can also take care of anonymous inodes. >=20 > What security module would use this? SELinux should be interested. This is useful to create sandboxes so other LSM may be interested too I'm working on a new LSM and I would like this kind of hook to create a real read-only environment. Regards, Micka=C3=ABl --suxt8kbsolRWWu2HCgHWXk2PgKHQRIfx5-- --DXC2rNsU7IeUlPC0uClhdNLabDMiNbwQb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEUysCyY8er9Axt7hqIt7+33O9apUFAlhbF+MACgkQIt7+33O9 apWnbwf9F9S3xlJ0JVSYXMa/f65JGgZb29nrZMnpfrh91W//0pcjB7R5c+eyge2U aYkNLIIGTH+W6tMZ5UCO1GGvMf4/vKnFOWVs/VGPifgcy+o0FFHm3vezf0pIK4FK Aafajzw6Bu7Bpahag8VeyCLFPUKj5pOZ4FbS3jTgczB0ydXoXsVej5KTSBFIYZyX 3xEXQmmgkk5kMKj9XYv0XqkV2pOG7/6ZCPVmuly5sTrODsALYfffnoQr1apIkxzI yV67U9ZIynBOE22DTWy/z+v0Wt3e7rRH6LlmcTVGq2dtlLK+AfvbGOpuzJSMINrO b9MQmsxlke69snjTrGcyCVkgeA4zcw== =sSXe -----END PGP SIGNATURE----- --DXC2rNsU7IeUlPC0uClhdNLabDMiNbwQb--