Kernel default security configuration - how it affects LSM policy?

Kernel default security configuration - how it affects LSM policy?

[Lev Olshvang]

An HTML attachment was scrubbed...
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181121/61152fa4/attachment.html>

Kernel default security configuration - how it affects LSM policy?

[Lev Olshvang]

[-- Attachment #1: Type: text/html, Size: 2499 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Kernel default security configuration - how it affects LSM policy?

[Lev Olshvang]

An HTML attachment was scrubbed...
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181124/d24f7b83/attachment.html>

Re: Kernel default security configuration - how it affects LSM policy?

[Lev Olshvang]

[-- Attachment #1: Type: text/html, Size: 2643 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Kernel default security configuration - how it affects LSM policy?

[valdis.kletnieks at vt.edu]

On Wed, 21 Nov 2018 17:20:50 +0300, Lev Olshvang said:

> So the questioned config option seems obsolete ?
> Wheher LSM always consulted last ?

If an LSM is configured/loaded, it is always consulted *after* applying
standard DAC file permission bits checks. (Discretionary Access Control- the
owner of the file/object is allowed to make their own decisions)

LSMs are always restrictive MAC (Mandatory access control - they are applied by
the system regardless of what the user/owner wants) calls. Restrictive means
they can only prohibit a call that has already passed the DAC check, they
cannot allow a call that would otherwise be failed by DAC.

LSMs are called after DAC checks for a number of reasons. One big one
is that when the LSM hooks were designed, the file permission checks were
(and still are) incredibly cheap - 3-4 opcodes or so.  So it makes sense to
do the cheap check first, as things like SELinux or AppArmor take a lot
more cycles to do the check. (There's also a few oddball corner cases where
doing the MAC check first results in non-intuitive results)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181125/0873d1ad/attachment.sig>

Re: Kernel default security configuration - how it affects LSM policy?

[valdis.kletnieks]

[-- Attachment #1.1: Type: text/plain, Size: 1082 bytes --]

On Wed, 21 Nov 2018 17:20:50 +0300, Lev Olshvang said:

> So the questioned config option seems obsolete ?
> Wheher LSM always consulted last ?

If an LSM is configured/loaded, it is always consulted *after* applying
standard DAC file permission bits checks. (Discretionary Access Control- the
owner of the file/object is allowed to make their own decisions)

LSMs are always restrictive MAC (Mandatory access control - they are applied by
the system regardless of what the user/owner wants) calls. Restrictive means
they can only prohibit a call that has already passed the DAC check, they
cannot allow a call that would otherwise be failed by DAC.

LSMs are called after DAC checks for a number of reasons. One big one
is that when the LSM hooks were designed, the file permission checks were
(and still are) incredibly cheap - 3-4 opcodes or so.  So it makes sense to
do the cheap check first, as things like SELinux or AppArmor take a lot
more cycles to do the check. (There's also a few oddball corner cases where
doing the MAC check first results in non-intuitive results)




[-- Attachment #1.2: Type: application/pgp-signature, Size: 486 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies