Kernel default security configuration - how it affects LSM policy?
valdis.kletnieks at vt.edu
valdis.kletnieks at vt.edu
Sun Nov 25 22:26:41 EST 2018
On Wed, 21 Nov 2018 17:20:50 +0300, Lev Olshvang said:
> So the questioned config option seems obsolete ?
> Wheher LSM always consulted last ?
If an LSM is configured/loaded, it is always consulted *after* applying
standard DAC file permission bits checks. (Discretionary Access Control- the
owner of the file/object is allowed to make their own decisions)
LSMs are always restrictive MAC (Mandatory access control - they are applied by
the system regardless of what the user/owner wants) calls. Restrictive means
they can only prohibit a call that has already passed the DAC check, they
cannot allow a call that would otherwise be failed by DAC.
LSMs are called after DAC checks for a number of reasons. One big one
is that when the LSM hooks were designed, the file permission checks were
(and still are) incredibly cheap - 3-4 opcodes or so. So it makes sense to
do the cheap check first, as things like SELinux or AppArmor take a lot
more cycles to do the check. (There's also a few oddball corner cases where
doing the MAC check first results in non-intuitive results)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181125/0873d1ad/attachment.sig>
More information about the Kernelnewbies
mailing list