Re: [RFC 0/3] WhiteEgret LSM module
From: Casey Schaufler
Date: Fri Jun 02 2017 - 15:00:33 EST
On 6/2/2017 10:39 AM, Steve Kemp wrote:
>> Create an security module that looks for the attribute
> For what it is worth I thought this seemed like an interesting project
> for a beginner, so I did just that. I wrote up the experience here:
>
> https://blog.steve.fi/so_i_accidentally_wrote_a_linux_security_module.html
>
> In short it was a very simple and clean approach, which I think is
> hard to get wrong. The only part I need to work on some more is the
> difference between `user` and `security` attributes.
A 'user' attribute can be set by the file owner. A 'security'
attribute requires privilege. SELinux and Smack use 'security'
attributes to prevent users from mucking with them. You need
to create module hooks for manipulating them, including
inode_init_security
inode_setxattr
inode_post_setxattr
inode_removexattr
inode_getsecurity
inode_listsecurity
inode_setsecurity
d_instantiate
>
> Steve
> --
> https://steve.fi/
>