Re: Which hooks are permissive hooks?

From: Chris Wright (chrisat_private)
Date: Wed Mar 05 2003 - 09:31:20 PST

  • Next message: greg: "Fw:linux-security-module,spice girls' vocal concert"

    *   (phanixat_private) wrote:
    > 
    > The LSM documentation mentioned that in order to support POSIX.1e
    > capabilities LSM provides a minimal support to permissive hook functions.
    > 
    > 1. What does "minimal" mean here? Why minimal?
    
    Minimal because there was an existing capabilties infrastructure that
    required permissive hooks, so we just used that.  What we ideally wanted
    was fully authoritative hooks, but this is invasive as Sergey said.
    
    > 2. In the LSM kernel patch for 2.4.19, which hooks are permissive?
    
    As Sergey pointed out, the capable() hook is the only permissive hook.
    This is context specific.  Not all capabilities are used to override
    kernel permission checks however, they are the entire access control check
    (see use of CAP_SYS_ADMIN in the fs/namespace.c).  A fine example of the
    permissive hook is CAP_DAC_OVERRIDE in the vfs_permission() function.
    This capability allows the user to override the normal DAC check on
    file access.
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 09:32:26 PST