Linux-Fsdevel Archive on
 help / color / Atom feed
From: Tejun Heo <>
To: Ondrej Mosnacek <>
Cc:, Paul Moore <>,
	Stephen Smalley <>,
	Linux Security Module list 
	Casey Schaufler <>,
	Greg Kroah-Hartman <>,,
Subject: Re: [PATCH v3 5/5] kernfs: initialize security of newly created nodes
Date: Thu, 31 Jan 2019 06:22:44 -0800
Message-ID: <> (raw)
In-Reply-To: <>


On Thu, Jan 31, 2019 at 11:20:57AM +0100, Ondrej Mosnacek wrote:
> Hm, I see... basically the only thing that gets allocated in
> kernfs_node_init_security() by default (at least under SELinux/ no
> LSM) is the kernfs_iattrs structures, so I assume you are pointing at
> that. I think this can be easily fixed, if we again use the assumption


> Technically this might make some LSMs unhappy, if they want to set
> some non-default context even if parent is all default, but this is
> already impossible now and in this case I think we have no better
> choice than sacrificing a bit of flexibility for memory efficiency,
> which is apparently critical here.
> Tejun, Casey, would the above modification be fine with you?

Generally looks good but maybe it can check the attr to see whether
there actually are things which need inheritance?



  reply index

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-30 11:41 [PATCH v3 0/5] Allow initializing the kernfs node's secctx based on its parent Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 1/5] selinux: try security xattr after genfs for kernfs filesystems Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 2/5] kernfs: use simple_xattrs for security attributes Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 3/5] LSM: add new hook for kernfs node initialization Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 4/5] selinux: implement the kernfs_init_security hook Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 5/5] kernfs: initialize security of newly created nodes Ondrej Mosnacek
2019-01-30 17:09   ` Tejun Heo
2019-01-31 10:20     ` Ondrej Mosnacek
2019-01-31 14:22       ` Tejun Heo [this message]
2019-01-31 16:39       ` Casey Schaufler
2019-02-04  9:48         ` Ondrej Mosnacek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Fsdevel Archive on

Archives are clonable:
	git clone --mirror linux-fsdevel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-fsdevel linux-fsdevel/ \
	public-inbox-index linux-fsdevel

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone