On Tue, 2005-02-01 at 08:57, tvrtko.ursulin@private wrote: > Related to mine verfiy_ops post, I was wondering, which hooks should > behave restrictivly and which authoritatively? > Is it documented somewhere or is it common sense driven? So far, as far as > I managed to pick up along the way, the only authorative hook is > capable()? Yes, only capable() is authoritative. Naturally, that can influence the others as well, e.g. if you allow capabilities like CAP_DAC_OVERRIDE/CAP_DAC_READ_SEARCH when they would not normally be allowed, then the corresponding DAC checks would be overridden and the corresponding LSM hook (e.g. inode_permission) would become authoritative for that check. Not recommended, but possible. -- Stephen Smalley <sds@private> National Security Agency
This archive was generated by hypermail 2.1.3 : Tue Feb 01 2005 - 06:06:20 PST