21.11.2018, 17:20, "Lev Olshvang" <levonshe@xxxxxxxxxx>:
One of the choices of security options proposes to select default securityCONFIG_DEFAULT_SECURITYUser can select traditional Unix DAC or one of LSMs.Suppose CONFIG_DEFAULT_SECURITY_DAC=y selected.I wonder how it affects LSM policy decisions?Lets take file permissionsfile fs/namei.c, kernel 4.8__inode_permission ---> do_inode_permission --> generic_permission :/** Do the basic permission checks.*/ret = acl_permission_check(inode, mask);if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))return 0;do_inode_permission(inode, mask);if (retval)return retval;...retval = devcgroup_inode_permission(inode, mask);if (retval)return retval;return security_inode_permission(inode, mask);from reading the code we see that first file ACL is consulted, then unix UID/GID thencapabilties and finally security_inode_permissions, i.e LSMSo the questioned config option seems obsolete ?Wheher LSM always consulted last ?Am I write ? Perhaps I miss another code path?
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
