One fairly good way (and that may make sense in other cases like this
too, not just the /proc filesystem) is to add a "version" to the file
descriptor that the low-level filesystem is free to use however it
wants.
In the case of the /proc filesystem, it would for example be very easy
for the procfs code to initialize the "version" at open-time to be the
start date of the process whose fd we opened. That's when we check the
permissions, so we essentially save away this "cookie" about the process
(the fact that it's the start time is not important - it should just be
"unique enough" that if the pids wrap around you won't have the same
cookie).
Then read() and write() etc things would just have something like
.. look up tsk according to the pid information ..
if (filp->f_version != tsk->start_time)
return -EIO;
.. do the actual operation ..
(and if somebody wanted to, it could also compain a few times about an
attempted crack..)
Alan fixed it in 2.0.x by adding the full security test into the
read()/write() functions, and I suggested he do something like that
because it's the "obvious" way to handle the problem. The advantage of
the above approach is that it gets the case right when you pass the file
descriptor to another process (or you lower your privileges) then the
user is still able to use it even if he woudln't be able to open the
file himself - which is the real UNIX semantics..
Alan, what do you think?
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html