Bhargava Shastry wrote: > Is there any particular reason why Tomoyo 1.8.2 does not intercept file lock > system calls (e.g.fcntl(int fd, int cmd, struct flock *lock)) . I have this > question because I see that the tomoyo patch I have only intercepts fnctl > calls of the type fcntl(int fd, int cmd, long arg); This is because I consider that fcntl(F_SETFL) is worth of checking permission but fcntl(F_SETLK or F_SETLKW) and flock() are not. fcntl(F_SETFL) can change write mode (overwrite / append) and is important for protecting log files. flock()'s LOCK_SH/LOCK_EX/LOCK_UN argument is less useful to restrict compared to ioctl()'s command number argument. fcntl(F_SETLK or F_SETLKW) provides file offset information (via "struct flock") but it is something overspecifying for TOMOYO users.
TOMOYO
Fork