One of the  choices of security options proposes to select default security

CONFIG_DEFAULT_SECURITY

User can select  traditional Unix DAC or one of LSMs.

Suppose CONFIG_DEFAULT_SECURITY_DAC=y  selected.

I wonder how it affects LSM policy decisions?

 

Lets take file permissions

file fs/namei.c, kernel 4.8

 

__inode_permission ---> do_inode_permission --> generic_permission :

 

/*

         * Do the basic permission checks.

         */

        ret = acl_permission_check(inode, mask);

     

       if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))

                        return 0;

 

         

do_inode_permission(inode, mask);

        if (retval)

                return retval;

 

       ...

 

        retval = devcgroup_inode_permission(inode, mask);

        if (retval)

                return retval;

 

        return security_inode_permission(inode, mask);

 

 

 

from reading the code we see that first file ACL is consulted, then unix UID/GID then

capabilties and finally security_inode_permissions, i.e LSM

 

So the questioned config option seems obsolete ?

Wheher LSM always consulted last ?

 

Am I write ? Perhaps I miss another code path?