diff for duplicates of <20046651543078502@iva4-031ea4da33a1.qloud-c.yandex.net>
diff --git a/N1/1.bin b/N1/1.bin
new file mode 100644
index 0000000..aa7c50f
--- /dev/null
+++ b/N1/1.bin
@@ -0,0 +1 @@
+<div><br /></div><div><br /></div><div>21.11.2018, 17:20, "Lev Olshvang" <levonshe@yandex.com>:</div><blockquote type="cite"><div xmlns="http://www.w3.org/1999/xhtml">One of the  choices of security options proposes to select default security</div><div xmlns="http://www.w3.org/1999/xhtml">CONFIG_DEFAULT_SECURITY</div><div xmlns="http://www.w3.org/1999/xhtml">User can select  traditional Unix DAC or one of LSMs.</div><div xmlns="http://www.w3.org/1999/xhtml">Suppose CONFIG_DEFAULT_SECURITY_DAC=y  selected.</div><div xmlns="http://www.w3.org/1999/xhtml">I wonder how it affects LSM policy decisions?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">Lets take file permissions</div><div xmlns="http://www.w3.org/1999/xhtml">file fs/namei.c, kernel 4.8</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">__inode_permission ---> do_inode_permission --> generic_permission :</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml"><div>/*</div><div>     * Do the basic permission checks.</div><div>     */</div><div>    ret = acl_permission_check(inode, mask);</div><div>   <div>    if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))</div><div>            return 0;</div><div> </div><div>     <div>do_inode_permission(inode, mask);</div><div>    if (retval)</div><div>        return retval;</div><div> </div><div>    ...</div><div> </div><div>    retval = devcgroup_inode_permission(inode, mask);</div><div>    if (retval)</div><div>        return retval;</div><div> </div><div>    return security_inode_permission(inode, mask);</div></div></div><div> </div></div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">from reading the code we see that first file ACL is consulted, then unix UID/GID then</div><div xmlns="http://www.w3.org/1999/xhtml">capabilties and finally security_inode_permissions, i.e LSM</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">So the questioned config option seems obsolete ?</div><div xmlns="http://www.w3.org/1999/xhtml">Wheher LSM always consulted last ?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">Am I write ? Perhaps I miss another code path?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div></blockquote>
\ No newline at end of file
diff --git a/a/1.txt b/a/1.txt
deleted file mode 100644
index 5b24067..0000000
--- a/a/1.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-An HTML attachment was scrubbed...
-URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181124/d24f7b83/attachment.html>
\ No newline at end of file
diff --git a/N1/2.hdr b/N1/2.hdr
new file mode 100644
index 0000000..4b86001
--- /dev/null
+++ b/N1/2.hdr
@@ -0,0 +1,4 @@
+Content-Type: text/plain; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline
diff --git a/N1/2.txt b/N1/2.txt
new file mode 100644
index 0000000..3daa5fe
--- /dev/null
+++ b/N1/2.txt
@@ -0,0 +1,4 @@
+_______________________________________________
+Kernelnewbies mailing list
+Kernelnewbies@kernelnewbies.org
+https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
\ No newline at end of file
diff --git a/a/content_digest b/N1/content_digest
index 4e2f4c3..b8d9cc9 100644
--- a/a/content_digest
+++ b/N1/content_digest
@@ -2,26 +2,37 @@
"ref\0002782681542810050\@sas1-890ba5c2334a.qloud-c.yandex.net\0"
]
[
- "From\0levonshe\@yandex.com (Lev Olshvang)\0"
+ "From\0Lev Olshvang <levonshe\@yandex.com>\0"
]
[
- "Subject\0Kernel default security configuration - how it affects LSM policy?\0"
+ "Subject\0Re: Kernel default security configuration - how it affects LSM policy?\0"
]
[
"Date\0Sat, 24 Nov 2018 19:55:02 +0300\0"
]
[
- "To\0kernelnewbies\@lists.kernelnewbies.org\0"
+ "To\0kernelnewbies <kernelnewbies\@kernelnewbies.org>\0"
]
[
- "\0000:1\0"
+ "\0001:1\0"
]
[
"b\0"
]
[
- "An HTML attachment was scrubbed...\n",
- "URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181124/d24f7b83/attachment.html>"
+ "<div><br /></div><div><br /></div><div>21.11.2018, 17:20, \"Lev Olshvang\" <levonshe\@yandex.com>:</div><blockquote type=\"cite\"><div xmlns=\"http://www.w3.org/1999/xhtml\">One of the \302\240choices of security options proposes to select default security</div><div xmlns=\"http://www.w3.org/1999/xhtml\">CONFIG_DEFAULT_SECURITY</div><div xmlns=\"http://www.w3.org/1999/xhtml\">User can select \302\240traditional Unix DAC or one of LSMs.</div><div xmlns=\"http://www.w3.org/1999/xhtml\">Suppose CONFIG_DEFAULT_SECURITY_DAC=y \302\240selected.</div><div xmlns=\"http://www.w3.org/1999/xhtml\">I wonder how it affects LSM policy decisions?</div><div xmlns=\"http://www.w3.org/1999/xhtml\">\302\240</div><div xmlns=\"http://www.w3.org/1999/xhtml\">Lets take file permissions</div><div xmlns=\"http://www.w3.org/1999/xhtml\">file fs/namei.c, kernel 4.8</div><div xmlns=\"http://www.w3.org/1999/xhtml\">\302\240</div><div xmlns=\"http://www.w3.org/1999/xhtml\">__inode_permission ---> do_inode_permission --> generic_permission :</div><div xmlns=\"http://www.w3.org/1999/xhtml\">\302\240</div><div xmlns=\"http://www.w3.org/1999/xhtml\"><div>/*</div><div>\302\240 \302\240 \302\240 \302\240 \302\240* Do the basic permission checks.</div><div>\302\240 \302\240 \302\240 \302\240 \302\240*/</div><div>\302\240 \302\240 \302\240 \302\240 ret = acl_permission_check(inode, mask);</div><div>\302\240 \302\240 \302\240<div>\302\240 \302\240 \302\240 \302\240if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))</div><div>\302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 return 0;</div><div>\302\240</div><div>\302\240 \302\240 \302\240 \302\240 \302\240<div>do_inode_permission(inode, mask);</div><div>\302\240 \302\240 \302\240 \302\240 if (retval)</div><div>\302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 return retval;</div><div>\302\240</div><div>\302\240 \302\240 \302\240 \302\240...</div><div>\302\240</div><div>\302\240 \302\240 \302\240 \302\240 retval = devcgroup_inode_permission(inode, mask);</div><div>\302\240 \302\240 \302\240 \302\240 if (retval)</div><div>\302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 return retval;</div><div>\302\240</div><div>\302\240 \302\240 \302\240 \302\240 return security_inode_permission(inode, mask);</div></div></div><div>\302\240</div></div><div xmlns=\"http://www.w3.org/1999/xhtml\">\302\240</div><div xmlns=\"http://www.w3.org/1999/xhtml\">\302\240</div><div xmlns=\"http://www.w3.org/1999/xhtml\">from reading the code we see that first file ACL is consulted, then unix UID/GID then</div><div xmlns=\"http://www.w3.org/1999/xhtml\">capabilties and finally security_inode_permissions, i.e LSM</div><div xmlns=\"http://www.w3.org/1999/xhtml\">\302\240</div><div xmlns=\"http://www.w3.org/1999/xhtml\">So the questioned config option seems obsolete ?</div><div xmlns=\"http://www.w3.org/1999/xhtml\">Wheher LSM always consulted last ?</div><div xmlns=\"http://www.w3.org/1999/xhtml\">\302\240</div><div xmlns=\"http://www.w3.org/1999/xhtml\">Am I write ? Perhaps I miss another code path?</div><div xmlns=\"http://www.w3.org/1999/xhtml\">\302\240</div></blockquote>"
+]
+[
+ "\0001:2\0"
+]
+[
+ "b\0"
+]
+[
+ "_______________________________________________\n",
+ "Kernelnewbies mailing list\n",
+ "Kernelnewbies\@kernelnewbies.org\n",
+ "https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies"
]
-d45fa91260ab6cd9f693eb6b5ddb477fed71ea132a2905b9ab7aee3bc559715b
+b7a401d15e0cf89ba500edf15122b3465ad394958e21e28052523f7fd2fa9ebd
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).