File access control

From: Jonathan Boler (j.m.boler@private)
Date: Thu Nov 27 2003 - 10:17:38 PST

  • Next message: Valdis.Kletnieks@private: "Re: [PATCH] BSD Secure Levels LSM"

    I'm currently in the planning stage for trying to write a LSM that restricts/allows file access based on the NAME of the file. I hope to be able to specify a set of rules using regular expressions applied to the absolute path of the file to allow/deny lists of users access.
    I notice in some of the docs that LSM hooks are called after DAC has taken place but there are cases where you can override this if the call goes through capable(). Is it possible to allow someone access to a file/directory using LSM when the inode permissions deny access ? I'm looking to try and control linking/unlinking, mkdir/rmdir too.
    Also is it possible to get the absolute pathname that was used to access an inode so I can restrict access based on the path ?
    Any tips would be greatly appreciated.

    This archive was generated by hypermail 2b30 : Thu Nov 27 2003 - 10:17:30 PST