From: Tejun Heo <tj@kernel.org>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
linux-security-module@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org
Subject: Re: [PATCH v3 5/5] kernfs: initialize security of newly created nodes
Date: Wed, 30 Jan 2019 09:09:11 -0800 [thread overview]
Message-ID: <20190130170911.GZ50184@devbig004.ftw2.facebook.com> (raw)
In-Reply-To: <20190130114150.27807-6-omosnace@redhat.com>
Hello,
On Wed, Jan 30, 2019 at 12:41:50PM +0100, Ondrej Mosnacek wrote:
> @@ -673,6 +698,12 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
> goto err_out3;
> }
>
> + if (parent) {
> + ret = kernfs_node_init_security(parent, kn);
> + if (ret)
> + goto err_out3;
> + }
So, doing this unconditionally isn't a good idea. kernfs doesn't use
the usual dentry/inode because there are machines with 6, even 7 digit
number of kernfs nodes and some of them even failed to boot due to
memory shortage. Please don't blow it up by default.
Thanks.
--
tejun
next prev parent reply other threads:[~2019-01-30 17:09 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-30 11:41 [PATCH v3 0/5] Allow initializing the kernfs node's secctx based on its parent Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 1/5] selinux: try security xattr after genfs for kernfs filesystems Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 2/5] kernfs: use simple_xattrs for security attributes Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 3/5] LSM: add new hook for kernfs node initialization Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 4/5] selinux: implement the kernfs_init_security hook Ondrej Mosnacek
2019-01-30 11:41 ` [PATCH v3 5/5] kernfs: initialize security of newly created nodes Ondrej Mosnacek
2019-01-30 17:09 ` Tejun Heo [this message]
2019-01-31 10:20 ` Ondrej Mosnacek
2019-01-31 14:22 ` Tejun Heo
2019-01-31 16:39 ` Casey Schaufler
2019-02-04 9:48 ` Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190130170911.GZ50184@devbig004.ftw2.facebook.com \
--to=tj@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cgroups@vger.kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).