Re: [PATCH] properly split capset_check+capset_set

From: Chris Wright
Date: Tue Jan 04 2005 - 18:54:25 EST

Next message: Bill Davidsen: "Re: starting with 2.7"
Previous message: Chris Wright: "Re: [PATCH] track capabilities in default dummy security module code"
In reply to: Alan Cox: "Re: [PATCH] properly split capset_check+capset_set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Alan Cox (alan@xxxxxxxxxxxxxxxxxxx) wrote:
> On Maw, 2005-01-04 at 16:27, Serge E. Hallyn wrote:
> > The attached patch removes checks from kernel/capability.c which are
> > redundant with cap_capset_check() code, and moves the capset_check()
> > calls to immediately before the capset_set() calls. This allows
> > capset_check() to accurately check the setter's permission to set caps
> > on the target. Please apply.
>
> Why does this help ?

Without this change, the check was done without knowing who the target
really was, so the code that sets it had to check as well.

> A partial failure now returns no error ?

It never did. Now it behaves the same as signal delivery which returns
success if any signals were delivered, and failure if none were delivered.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bill Davidsen: "Re: starting with 2.7"
Previous message: Chris Wright: "Re: [PATCH] track capabilities in default dummy security module code"
In reply to: Alan Cox: "Re: [PATCH] properly split capset_check+capset_set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]