[PATCH] fanotify, inotify, dnotify, security: add security hook for fs notifications
Paul Moore
paul at paul-moore.com
Thu Aug 1 12:47:56 UTC 2019
On Thu, Aug 1, 2019 at 7:31 AM Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On 7/31/19 8:27 PM, Paul Moore wrote:
> > On Wed, Jul 31, 2019 at 1:26 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> >> On 7/31/2019 8:34 AM, Aaron Goidel wrote:
...
> >>> +static int selinux_path_notify(const struct path *path, u64 mask,
> >>> + unsigned int obj_type)
> >>> +{
> >>> + int ret;
> >>> + u32 perm;
> >>> +
> >>> + struct common_audit_data ad;
> >>> +
> >>> + ad.type = LSM_AUDIT_DATA_PATH;
> >>> + ad.u.path = *path;
> >>> +
> >>> + /*
> >>> + * Set permission needed based on the type of mark being set.
> >>> + * Performs an additional check for sb watches.
> >>> + */
> >>> + switch (obj_type) {
> >>> + case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
> >>> + perm = FILE__WATCH_MOUNT;
> >>> + break;
> >>> + case FSNOTIFY_OBJ_TYPE_SB:
> >>> + perm = FILE__WATCH_SB;
> >>> + ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
> >>> + FILESYSTEM__WATCH, &ad);
> >>> + if (ret)
> >>> + return ret;
> >>> + break;
> >>> + case FSNOTIFY_OBJ_TYPE_INODE:
> >>> + perm = FILE__WATCH;
> >>> + break;
> >>> + default:
> >>> + return -EINVAL;
> >>> + }
> >>> +
> >>> + // check if the mask is requesting ability to set a blocking watch
> >
> > ... in the future please don't use "// XXX", use "/* XXX */" instead :)
> >
> > Don't respin the patch just for this, but if you have to do it for
> > some other reason please fix the C++ style comments. Thanks.
>
> This was discussed during the earlier RFC series but ultimately someone
> pointed to:
> https://lkml.org/lkml/2016/7/8/625
> where Linus blessed the use of C++/C99 style comments. And checkpatch
> accepts them these days.
Yep, I'm aware of both, it is simply a personal preference of mine.
I'm not going to reject patches with C++ style comments, but I would
ask people to stick to the good ol' fashioned comments for patches
they submit.
> Obviously if you truly don't want them in the SELinux code, that's your
> call. But note that all files now have at least one such comment as a
> result of the mass SPDX license headers that were added throughout the
> tree using that style.
FYI, the sky is blue.
It isn't just the license headers either, Al dropped one into hooks.c
:). Just like I don't plan to reject patches due only to the comment
style, you don't see me pushing patches to change the C++ comments.
--
paul moore
www.paul-moore.com
More information about the Linux-security-module-archive
mailing list