Re: [RFC 0/3] WhiteEgret LSM module

From: Casey Schaufler
Date: Fri Jun 02 2017 - 15:00:33 EST

Next message: Vineet Gupta: "Re: [PATCH v2 11/11] ARC: [plat-eznps] Handle memory error as an exception"
Previous message: Florian Fainelli: "Re: [PATCH 1/1] pinctrl: bcm: cleanup Broadcom license headers"
In reply to: Steve Kemp: "Re: [RFC 0/3] WhiteEgret LSM module"
Next in thread: Steve Kemp: "Re: [RFC 0/3] WhiteEgret LSM module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/2/2017 10:39 AM, Steve Kemp wrote:
>> Create an security module that looks for the attribute
> For what it is worth I thought this seemed like an interesting project
> for a beginner, so I did just that. I wrote up the experience here:
>
> https://blog.steve.fi/so_i_accidentally_wrote_a_linux_security_module.html
>
> In short it was a very simple and clean approach, which I think is
> hard to get wrong. The only part I need to work on some more is the
> difference between `user` and `security` attributes.

A 'user' attribute can be set by the file owner. A 'security'
attribute requires privilege. SELinux and Smack use 'security'
attributes to prevent users from mucking with them. You need
to create module hooks for manipulating them, including

inode_init_security
inode_setxattr
inode_post_setxattr
inode_removexattr
inode_getsecurity
inode_listsecurity
inode_setsecurity
d_instantiate

>
> Steve
> --
> https://steve.fi/
>

Next message: Vineet Gupta: "Re: [PATCH v2 11/11] ARC: [plat-eznps] Handle memory error as an exception"
Previous message: Florian Fainelli: "Re: [PATCH 1/1] pinctrl: bcm: cleanup Broadcom license headers"
In reply to: Steve Kemp: "Re: [RFC 0/3] WhiteEgret LSM module"
Next in thread: Steve Kemp: "Re: [RFC 0/3] WhiteEgret LSM module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]