On Thu, 2003-11-27 at 13:17, Jonathan Boler wrote: > Hi > > I'm currently in the planning stage for trying to write a LSM that restricts/allows file access based on the NAME of the file. I hope to be able to specify a set of rules using regular expressions applied to the absolute path of the file to allow/deny lists of users access. > > I notice in some of the docs that LSM hooks are called after DAC has taken place but there are cases where you can override this if the call goes through capable(). Is it possible to allow someone access to a file/directory using LSM when the inode permissions deny access ? I'm looking to try and control linking/unlinking, mkdir/rmdir too. > > Also is it possible to get the absolute pathname that was used to access an inode so I can restrict access based on the path ? > > Any tips would be greatly appreciated. Pathname-based security considered harmful. You want to control access to an object, not a name, and the name-to-object mapping is neither one-to-one nor immutable. Have you considered whether SELinux will allow you to implement your desired security goals via a particular security policy configuration, as opposed to implementing a new LSM? -- Stephen Smalley <sds@private> National Security Agency
This archive was generated by hypermail 2b30 : Mon Dec 01 2003 - 06:03:35 PST