Re: [PATCH] capabilities: Introduce CAP_RESTORE

From: Casey Schaufler
Date: Wed May 27 2020 - 12:46:07 EST


On 5/27/2020 9:37 AM, Nicolas Viennot wrote:
>>> If I understand part of CRIU correctly, then we only need read-access
>>> for the current user. I am sure Andrei, Pavel or Cyrill will correct
>>> me if I am wrong concerning map_files.
>> If I do "ls -l /proc/self/map_files" I get the link name and link content.
>> While I can't open /proc/self/map_files/7fbde0c3200-7fbde0c3300 I can read that it points to /usr/lib64/ld-2.30.so, which is something I can open and read. Sure, it's an extra step, but it's no big deal. It does raise the question of what value comes from disallowing open via the symlink.
> Reading the symlink doesn't work in two cases:
> 1) The file has been deleted

In which case you won't be able to read it directly from
the symlink, either.

> 2) The file is a memfd file

Ditto? Or is there some other problem?