Kernel default security configuration - how it affects LSM policy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

One of the  choices of security options proposes to select default security
CONFIG_DEFAULT_SECURITY
User can select  traditional Unix DAC or one of LSMs.
Suppose CONFIG_DEFAULT_SECURITY_DAC=y  selected.
I wonder how it affects LSM policy decisions?
 
Lets take file permissions
file fs/namei.c, kernel 4.8
 
__inode_permission ---> do_inode_permission --> generic_permission :
 
/*
         * Do the basic permission checks.
         */
        ret = acl_permission_check(inode, mask);
     
       if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
                        return 0;
 
         
do_inode_permission(inode, mask);
        if (retval)
                return retval;
 
       ...
 
        retval = devcgroup_inode_permission(inode, mask);
        if (retval)
                return retval;
 
        return security_inode_permission(inode, mask);
 
 
 
from reading the code we see that first file ACL is consulted, then unix UID/GID then
capabilties and finally security_inode_permissions, i.e LSM
 
So the questioned config option seems obsolete ?
Wheher LSM always consulted last ?
 
Am I write ? Perhaps I miss another code path?
 
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]

  Powered by Linux