On Fri, Jun 24, 2016 at 8:18 AM, Casey Schaufler <ca...@schaufler-ca.com> wrote: > On 6/24/2016 1:40 AM, Michael Kerrisk (man-pages) wrote: >> So, I just want to check my understanding of a couple of points: >> >> 1. The commoncap LSM is invoked first, and if it denies access, >> then no further LSM is/needs to be called. > > Yes. The LSM infrastructure is "bail on fail". > >> >> 2. Is it the case that only one of the other LSMs (SELinux, Yama, >> AppArmor, etc.) is invoked, or can more than one be invoked. >> I thought only one is invoked, but perhaps I am out of date >> in my understanding. > > All registered modules are invoked, but only one "major" > module can be registered. The "minor" modules show up in > security_init, while the majors come in via do_security_initcalls.
Just to fill in the history: prior the the recent LSM stacking changes (v4.2), commoncap (which is effectively an LSM) was hard-coded to be stacked with the single selected primary LSM. Then Yama got hard-coded stacked with the primary LSM too, and then Casey saved us from total insanity by providing a proper way to stack LSMs. -Kees -- Kees Cook Chrome OS & Brillo Security
