On Wed, 21 Nov 2018 17:20:50 +0300, Lev Olshvang said: > So the questioned config option seems obsolete ? > Wheher LSM always consulted last ?
If an LSM is configured/loaded, it is always consulted *after* applying standard DAC file permission bits checks. (Discretionary Access Control- the owner of the file/object is allowed to make their own decisions) LSMs are always restrictive MAC (Mandatory access control - they are applied by the system regardless of what the user/owner wants) calls. Restrictive means they can only prohibit a call that has already passed the DAC check, they cannot allow a call that would otherwise be failed by DAC. LSMs are called after DAC checks for a number of reasons. One big one is that when the LSM hooks were designed, the file permission checks were (and still are) incredibly cheap - 3-4 opcodes or so. So it makes sense to do the cheap check first, as things like SELinux or AppArmor take a lot more cycles to do the check. (There's also a few oddball corner cases where doing the MAC check first results in non-intuitive results)
pgpjOHypjXIXL.pgp
Description: PGP signature
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
