* Jonathan Boler (j.m.boler@private) wrote: > I notice in some of the docs that LSM hooks are called after DAC has > taken place but there are cases where you can override this if the call > goes through capable(). Is it possible to allow someone access to a > file/directory using LSM when the inode permissions deny access ? I'm > looking to try and control linking/unlinking, mkdir/rmdir too. Not without overriding the decision with capable(). The hooks are restrictive only, and are called after DAC checks. > Also is it possible to get the absolute pathname that was used to > access an inode so I can restrict access based on the path ? You cannot discover the path used to access an inode without knowing both the dentry and the vfsmount objects. And as Stephen pointed out, the namespace is mutable and does not guarantee complete mediation. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
This archive was generated by hypermail 2b30 : Mon Dec 01 2003 - 11:52:14 PST