<div xmlns="http://www.w3.org/1999/xhtml"><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">One of the  choices of security options proposes to select default security</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">CONFIG_DEFAULT_SECURITY</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">User can select  traditional Unix DAC or one of LSMs.</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">Suppose CONFIG_DEFAULT_SECURITY_DAC=y  selected.</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">I wonder how it affects LSM policy decisions?</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;"> </div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">Lets take file permissions</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">file fs/namei.c, kernel 4.8</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;"> </div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">__inode_permission ---> do_inode_permission --> generic_permission :</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;"> </div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;"><div>/*</div><div>         * Do the basic permission checks.</div><div>         */</div><div>        ret = acl_permission_check(inode, mask);</div><div>     <div>       if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))</div><div>                        return 0;</div><div> </div><div>         <div>do_inode_permission(inode, mask);</div><div>        if (retval)</div><div>                return retval;</div><div> </div><div>       ...</div><div> </div><div>        retval = devcgroup_inode_permission(inode, mask);</div><div>        if (retval)</div><div>                return retval;</div><div> </div><div>        return security_inode_permission(inode, mask);</div></div></div><div> </div></div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;"> </div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;"> </div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">from reading the code we see that first file ACL is consulted, then unix UID/GID then</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">capabilties and finally security_inode_permissions, i.e LSM</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;"> </div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">So the questioned config option seems obsolete ?</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">Wheher LSM always consulted last ?</div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;"> </div><div style="background-color:transparent;color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15px;font-style:normal;font-variant:normal;font-weight:400;text-align:left;text-decoration:none;text-transform:none;white-space:normal;">Am I write ? Perhaps I miss another code path?</div></div>