Re: Clarifications of LSM API

From: Stephen Smalley (sds@private)
Date: Mon Jun 28 2004 - 06:40:23 PDT

Next message: miremadi@private: "LSM policy!"

Previous message: James Morris: "Re: Clarifications of LSM API"
In reply to: James Morris: "Re: Clarifications of LSM API"
Next in thread: Tomas Olsson: "Re: Clarifications of LSM API"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2004-06-28 at 09:19, James Morris wrote:
> On Sun, 27 Jun 2004, Andrew E. Ruder wrote:
> 
> > Am I way off base here or can the modules only be used to take
> >  away permissions and not to add permissions from the 
> > traditional unix permissions scheme?
> 
> They are 'restrictive' in that they can only reduce access, not increase
> it.

With the exception of the capable() hook, which is authoritative. 
Hence, you could have your module's capable() hook function grant
CAP_DAC_OVERRIDE and then have your module's inode_permission() hook
function perform the complete access computation.

-- 
Stephen Smalley <sds@private>
National Security Agency

Next message: miremadi@private: "LSM policy!"
Previous message: James Morris: "Re: Clarifications of LSM API"
In reply to: James Morris: "Re: Clarifications of LSM API"
Next in thread: Tomas Olsson: "Re: Clarifications of LSM API"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 28 2004 - 06:41:05 PDT