It would be better to include the patch inline for review. In any
event, a few observations on your patch:
- We don't want to replace " *** uous" knowledge of proc with
" *** ous" knowledge of the dcache. So rather than encoding knowledge
of the magical "//deleted" suffix into selinux, use an interface to the
dcache (or add one if none exists) that does not append that suffix at
all. I think apparmor did something similar to deal with the (deleted)
suffix for d_path.
- You don't need special handling of /proc/PID entries. Those are
labeled via the security_task_to_inode -> selinux_task_to_inode hook,
called from proc_pid_make_inode and the _revalidate functions.
- Don't remove the IS_PRIVATE() test from inode_has_perm(), as other
inodes beyond just the /proc/sys ones are marked with that flag
(original usage was for reiserfs xattr inodes).
National Security Agency
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to XXXX@XXXXX.COM
More majordomo info at http://www.yqcomputer.com/
Please read the FAQ at http://www.yqcomputer.com/