Re: Clarifications of LSM API

From: Stephen Smalley (sds@private)
Date: Mon Jun 28 2004 - 06:40:23 PDT

  • Next message: miremadi@private: "LSM policy!"

    On Mon, 2004-06-28 at 09:19, James Morris wrote:
    > On Sun, 27 Jun 2004, Andrew E. Ruder wrote:
    > 
    > > Am I way off base here or can the modules only be used to take
    > >  away permissions and not to add permissions from the 
    > > traditional unix permissions scheme?
    > 
    > They are 'restrictive' in that they can only reduce access, not increase
    > it.
    
    With the exception of the capable() hook, which is authoritative. 
    Hence, you could have your module's capable() hook function grant
    CAP_DAC_OVERRIDE and then have your module's inode_permission() hook
    function perform the complete access computation.
    
    -- 
    Stephen Smalley <sds@private>
    National Security Agency
    



    This archive was generated by hypermail 2b30 : Mon Jun 28 2004 - 06:41:05 PDT